#[dmitshur]applied to IndieAuth, it could mean something like... if authz endpoint returns a "me" URL where the original user profile URL isn't a prefix of it, then it should be confirmed that the returned "me" URL specifies the same authorization endpoint URL.