Missing authorization interface

[mateusz]

Not sure if this is on purpose, but the step where user would be asked to approve access to specific scopes is missing.

This is fine for me, as I have a very limited scope (just one resource - for "sso/profile"), use it exclusively for SSO, and I control both server and the client, but might not be so palatable if people want to use it as more full-fledged resource gatekeeper?

Would it make sense to put a note in README about that?

[IanSimpson]

Yes, this is one step I missed entirely. I had the same situation as you - controlling both the server and client, so can assume trust. Noting in the README beyond the broad "this is very beta" note I have might be a good idea!