Dear auth0 team,
there are already a few tickets related to this topic:
The following OpenID Connect draft specs (all dated 25th of January 2017) address the problem with different approaches:
What is your opinion on those specs and will you adopt any of them in the near future?
Thanks in advance,