Are there any plans to do an opam release soon? Just asking — could still work around this downstream using my much-overused rename-and-vendor workflow.
I'm not sure what ocaml-oidc should do here — ignore, fail (like it does now) or try to parse an array — but just creating the issue to discuss and at least to document this behaviour.
Looking through a list of OAuth providers on Wikipedia, I made a short list of "important" OAuth2 providers that it may be good to test this repo against/adapt it to. The information on Wikipedia might be out of date, the providers might be diverging from specs in various ways, so we might simply not do some of them initially. Also, some providers might have extensive additional mechanisms, and be OAuth2 only in the sense of being based on OAuth2, yet still not be OIDC. I am suspecting Instagram might have something like that (perhaps it uses Facebook Connect). So we would address each provider separately.
In the OAuth2 example, it appears to be possible to trigger login without any user interaction by causing the user's browser to do a GET /auth on the app, since the handler does not check any cookies, CSRF tokens, etc.
A state parameter that is somehow associated with the client's user agent (usually meaning, with a cookie) is necessary to protect the OAuth2 callback from CSRF-like attacks. The library code appears to support passing state around, but the example does not use state, and it does not appear to be pointed out in the library docs.