- generate JWT id_token in token exchange - store optional nonce in authorization object - switch to RS256 algorithm for JWT signature - add JWKs endpoint to provide OIDC clients with public keys