tekul
tekul
When reading the "under the hood" chapter I was confused because the definition of the "real" `Future` didn't include methods like `boxed` which the chapter uses later. It was only...
These are currently ignored, other than as provided to the client via the discovery response. The client can still use unsupported options in requests and have them processed. For example...
http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
See http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
Should be validated as per http://openid.net/specs/openid-connect-registration-1_0-20.html#Security
An error page for errors which are reported to the users, rather than as redirects to the client. Currently the textual error is just printed in the browser.
OP-OAuth-2nd-Revokes requires that using an authorization code twice revokes access tokens. See also 10.5 of RFC6749 The requirement is only for access tokens based on the code itself, but this...
See http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest Need to work out what possible use cases apply.
As described in the [client authentication](http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) section of the spec, client assertion JWTs should only be used once. A caching/checking function is needed to make sure the same token identifier...
The OP needs to be able to manage keys as defined in http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys - Configure a lifetime for key(s) and a grace period within which old keys are valid -...