Hi, at 13:03 Dominic mentions that a random number hash is sent to the STS from the client , in the first leg and in the last leg, the random number is sent in clear text. The STS will hash the random number and try to match the hashes. In my thinking, in this case, the STS needs to know the hashing algorithm used by the client and uses the same one or use the certificate public key for this purpose? Related questions; if the attacker is able to intercept the access_token, code/identity_token, he might be also in a position to intercept the clear text being sent to the STS and hence can do a re-play of the same request. Is the code one time use? If yes, what happens if the client wants an access_token for another service it needs to invoke?