Made some changes in indieweb/elixir so that response_type=id is more-or-less the same as response_type=code.

A big change I’m seeing is this:

All IndieAuth clients MUST use PKCE (RFC7636) to protect against authorization code injection and CSRF attacks. A non-canonical description of the PKCE mechanism is described below, but implementers should refer to RFC7636 for details.

PKCE stands for “Proof Key for Code Exchange”. This is a new hard requirement and it explains why I couldn’t sign into clients like Aperture or Monocle. Let’s patch that up!