> Secondly the whole token exchange thing is quite opaque. If there's something wrong with the certificate or the returned token, it can be quite difficult to figure out what's wrong from our end.
When you say "token exchange" are you specifically referring to the token exchange type grant that was ratified in 2020 or do you mean calling the token endpoint to get the token as part of the PKCE workflow? If it is the prior, I'm curious about your experience with this relatively new feature and why it's so difficult to use.
When you say "token exchange" are you specifically referring to the token exchange type grant that was ratified in 2020 or do you mean calling the token endpoint to get the token as part of the PKCE workflow? If it is the prior, I'm curious about your experience with this relatively new feature and why it's so difficult to use.