At least in the latest spec: https://openid.net/specs/openid-connect-rpinitiated-1_0.html

Currently Hydra uses id_token_hint to determine if logout is RP-initiated or OP-initiated. I do not think this is possible by relaying on id_token_hint.

Looking at the implementation of issueLogoutVerifier I think the logic is correct (if id_token_hint is missing, you ask for consent, if it is p

Is your feature request related to a problem? Please describe.

The public key-based request signing functionality added to sso_proxy in buzzfeed/sso#106 is undocumented. In particular, it's not immediately obvious how to a) generate an appropriate keypair or b) validate a signed request in an upstream service.

Describe the solution you'd like

New documenta

Describe the bug

I think this is a similar problem than what was already reported in ory/fosite#434, but elsewhere in the code. I believe all calls to url.QueryUnescape should be removed from the code. Go already escapes all query/form parameters automatically and unescaping again can just break things.

Example:

func GetRedirectURIFromRequestValues(value

Not seeing how I'd be able to do that. the step certificate create -csr seems to expect to create a new private key