We should document, that some conformity rules can only be implemented by the express/fastify/koa-etc. layer.

Maybe we should collect the MUST rules for meeting the conformity requirements but are (currently?) out of scope of the oauth2-server.

• the authorization endpoint MUST support the GET method. probably alot of people only implement the post but not the get method.

 The authorization server MUST support the use of the HTTP "GET"
 method [RFC2616] for the authorization endpoint and MAY support the
 use of the "POST" method as well.

https://datatracker.ietf.org/doc/html/rfc6749#section-3.1

• TLS is also necessary, which is not enforced by the oauth2-server

 The authorization server MUST require the use of TLS as described in
 Section 1.6 when sending requests using password authentication.

https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1

• Brute-Force Protection for the endpoints is also a MUST regarding the RFC.

 Since this client authentication method involves a password, the
 authorization server MUST protect any endpoint utilizing it against
 brute force attacks.