RFC-Conformity depends on Implementation

[Uzlopak]

We should document, that some conformity rules can only be implemented by the express/fastify/koa-etc. layer.

Maybe we should collect the MUST rules for meeting the conformity requirements but are (currently?) out of scope of the oauth2-server.

• the authorization endpoint MUST support the GET method. probably alot of people only implement the post but not the get method.

   The authorization server MUST support the use of the HTTP "GET"
   method [RFC2616] for the authorization endpoint and MAY support the
   use of the "POST" method as well.

https://datatracker.ietf.org/doc/html/rfc6749#section-3.1

• TLS is also necessary, which is not enforced by the oauth2-server

   The authorization server MUST require the use of TLS as described in
   Section 1.6 when sending requests using password authentication.

https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1

• Brute-Force Protection for the endpoints is also a MUST regarding the RFC.

   Since this client authentication method involves a password, the
   authorization server MUST protect any endpoint utilizing it against
   brute force attacks.

[jankapunkt]

This is a very good idea, because it would help client implementations to write their own compliance suite much more efficiently.

[jankapunkt]

We should create a documentation like COMPLIANCE.md for that.