#Loqi[aaronpk] #58 Allow clients to always exchange authorization codes at the token endpoint
#ZegnatI guess the only bit that may be a little confusing is that your response is different depending on whether the client is doing the code exchange against the auth or token endpoint. If I have a profile scope and exchange with the auth endpoint I do not expect an access_token back, but when I go with the exact same flow against the token endpoint I do expect one?
geoffo, KartikPrabhu, [fluffy], cjav_dev, [James_Gallaghe], nickodd, oodani, moppy, dhanesh95, peterrother and gbmor1 joined the channel
#ZegnatGWG: I guess my question is what to do if the client requested a profile scope and then goes and exchanges it at the token endpoint rather than at the auth endpoint
#Loqi[Zegnat] > Token endpoints need to be aware that they should **not issue an access token if** no scope or **only profile scopes are issued** [...]
Emphasis by me. When I was writing up #62 and rereading this issue, I realised that this does not seem to be ...
#ZegnatThese are typical things that I did not notice on my final big read through, but am noticing now that I am playing around implementing the spec again
#[tb]It's actually about all Stilus does so far lol
#ZegnatI am obsesively documenting error reponses in my code now, because I always get them wrong.
#[tb]Yeah error cases are what I still need to do on that code I linked
#ZegnatFor me it is more like PKCE RFC 7636 tells me what error responses to give on faulty requests, but OAuth 2.0 RFC 6749 tells me how to actually send the error response, and everything just gets jumbled super easily.
#Zegnat[insert something about OAuth 2.1 being great for combining it all into one document again]