Vivek Shankar

@aeneasr I have an implementation for this that I can contribute. Please let me know if there's interest.

It isn't draft. It's been the only full RFC for sender constrained access tokens. You might be thinking about DPoP. @mitar

@aeneasr `self_signed_tls_client_auth` can be done but I don't see a lot of value with that implementation. `tls_client_auth` is used extensively particularly for Financial API regulated implementations. With regards to the...

@aeneasr You really need to learn how to take vacation 😁 The header approach is very common. Akamai, for example, offers the ability to include the full PEM and/or parsed...

The certificate format is usually url-encoded pem but the proxy may also have the ability to send certificate attributes and computed values. Here's a snippet from Cloudflare: > For companies...

OK that makes sense. Maybe a tailored session interface that provides functions to get pem or specific attributes or the computed fingerprint?

@aeneasr For the ID token etc., this is relatively easy to accomplish with a custom implementation of JWTStrategy and performing the encryption on the Generate function. Perhaps a couple of...

@aeneasr This is regarding a change I see in the master branch. ``` type Signer interface { Generate(ctx context.Context, claims MapClaims, header Mapper) (string, string, error) Validate(ctx context.Context, token string)...

Yes, the error can be mapped by overriding WriteAuthorizeError. Just doesn't seem worthwhile to me. Also if there is an intention to certify Hydra for FAPI Advanced Final, this will...

It is possible the MessageCatalog can be enhanced to compute the `error` and not just the error description. That way an implementer can effectively map `unsupported_response_mode` to `invalid_request` with no...