Missing test for POST on authorize request
Section 3.1.2.1 contains the following:
Authorization Servers MUST support the use of the HTTP GET and POST methods defined in RFC 7231 [RFC7231] at the Authorization Endpoint.
However, there is no test in the conformance suite that tests whether an AS supports POST. Therefore an AS that passed the conformance suite may not actually be interoperable with clients that expect this behavior.
This is higher priority now because FHIR copied this requirement from OpenID Connect, and the ONC HHS published a Final Rule in January 2024 that requires authorization servers support the POST method. https://www.federalregister.gov/d/2023-28857/p-1249
We clarify the “authorize-post” capability is not an optional capability
It would be helpful for implementers to know whether their servers are compliant with this requirement when using the conformance suite.