Lucian H

> We're still not on the same page here. Spring Authorization Server is NOT an HTTP Server so the HTTP spec cannot take precedence over the OAuth2 spec. I reviewed...

@jgrandja Yes, this would fix the problem. I was talking this over with my colleagues earlier and it would seem like maybe the best option in this case would be...

Hey @jgrandja we're likely to need this feature in the next quarter. It's worth noting that it's a requirement for some social logins like Google's Streamlined account linking https://developers.google.com/identity/account-linking/oauth-with-sign-in-linking if...

> Refresh tokens should not be returned. Yeah, I was afraid you'd say this :-/ I agree with you, but unfortunately Google have taken a different view on this. They're...

> I believe the implementation would be very similar to OAuth2ClientCredentialsAuthenticationProvider One interesting problem/question here is that you can - and frequently will - have both an authenticated client _and_...

Yep that sounds good. Due to scheduling constraints at this end it's likely to be in the New Year, but I'll keep you posted.