Hello again,
So I’m progressing and managed to retrieve claims using said flow, (still encrypted). I’d like to do it the proper way and I’m concerned with security and authenticity.
I understood “state” parameter purpose.
In your example, you don’t seem to use nonce. Is it “optional” ? I can’t exactly how in the usage is it different from state. (which seems to be : Generating a random TOKEN-A and checking at some point of the process that returned value equals TOKEN-A)
I’m also curious to why we use a post request on an uri that contains query parameters ?