Merged in josephheenan/fapi/state-fixes (pull request #46)
Make it explicit that s_hash is only required if client supplies state
fixes #110
Part 1: Make state mandatory if using pure OAuth
State is the only way to achieve CSRF protection etc when not using OpenID Connect.
fixes #114
Be clear about with id_token s_hash is required in
This essentially mirrors the language about at_hash and c_hash in:
https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken2
fixes #130
Make it explicit that s_hash is only required if client supplies state
fixes #110
Part 1: Make state mandatory if using pure OAuth
State is the only way to achieve CSRF protection etc when not using OpenID Connect.
fixes #114
Be clear about with id_token s_hash is required in
This essentially mirrors the language about at_hash and c_hash in:
https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken2
fixes #130