... One more note. You mentioned in this section...
o Use form post mode instead of redirect for authorization response
.. This might be worth expanding on./Use form post and keep data OUT OF
THE ACTION/ (which is essentially the same as a GET). Safe transport of
tokens includes well
Torsten,
The
https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-security-topics/?include_text=1
guide you are working on is a special kind of magic. Thank you for
taking the time to write this very important document.
When it comes to 2.2.1, I see your great suggestion to prevent referrer
