Hi all, I was just setting up Koha to use an OpenID Connect server provided by a Wordpress plugin, and it sent an "iframe" query string parameter along with the "code". I added "iframe" as an optional parameter to public_oauth.yaml which got it working, but it seems an unfortunate workaround. It looks like Koha::REST::V1::Auth::authenticate_api_request validates query parameters and will fail if there's one that isn't in the spec. Most of the time that might be the right thing to do, but I don't think it's the right thing for the OAuth/OIDC routes. What do other people think? David Cook Senior Software Engineer Prosentient Systems Suite 7.03 6a Glen St Milsons Point NSW 2061 Australia Office: 02 9212 0899 Online: 02 8005 0595