#[tb]Oh actually that leads me to my last question. For my `response_type=id` flow, I force a scope of `profile` no matter what they give as `scope` in case they decide to use the access grant to get a token instead of just POST back to the auth endpoint again