added FIXME info so we don't forget to check this

Author: ylebre

src/Controller/TokenController.php

@@ -27,6 +27,8 @@ final public function __invoke(ServerRequestInterface $request, array $args): Re
 		$server	= new \Pdsinterop\Solid\Auth\Server($this->authServerFactory, $this->authServerConfig, $response);
 		$response = $server->respondToAccessTokenRequest($request);
 
+		// FIXME: not sure if decoding this here is the way to go.
+		// FIXME: because this is a public page, the nonce from the session is not available here.
 		$codeInfo = $this->tokenGenerator->getCodeInfo($code);
 		$response = $this->tokenGenerator->addIdTokenToResponse($response, $clientId, $codeInfo['user_id'], $_SESSION['nonce'], $this->config->getPrivateKey());