2020-11-21 UTC
# Zegnat I am thinking, the `me` returned from the AS is trusted from the user/AS point of view, but is not yet trusted from the client point of view as the user might be trying an impersonation attack. So the client should try to establish a trusted relationship between `me` and `authorization_endpoint` no matter what.