kylewmaaronpk: i was thinking about authorization_endpoint returning a different "me" than it was given -- that may already be a vulnerability depending on how the micropub client is written. and it's a good reason to rediscover the token endpoint instead of caching it in the first part
