The 'session lost' error page contains links that point straight to the SURFnet website.
I can't configure these links without directly editing the template files.

The Authorization endpoint currently does not support ephemeral ports on loopback redirect uris.

This prevents native apps that use random port numbers to receive authorization codes to interoperate with OpenConext.

RFC8252
(OAuth 2.0 for Native Apps)
reads in section 7.3. Loopback Interface Redirection:

   The authorization server MUST allow any port to be specified at the
   time of the request for loopback IP redirect URIs, to accommodate
   clients that obtain an available ephemeral port from the operating
   system at the time of the request.

This could be changed easily by ignoring port numbers on redirect URIs for loopback addresses. See
https://github.com/OpenConext/OpenConext-oidcng/blob/master/src/main/java/oidc/endpoints/AuthorizationEndpoint.java#L231

To support advances usecases in the context of SRAM and European Universities (Eurotech), we need to support so-called Remote Token Introspection. Basically this is a new spec that specifies how an AS/OIDC proxy can introspect tokens that have been issued by a different AS or proxy (both of which need to be part of the same trust framework).

I had an issue with my remote IDP metadata, leading to the following errors being logged by OIDCNG:

May 25 13:05:28 sv1811044.frd.tshsdir.local OIDC: [http-nio-9195-exec-1] org.springframework.security.saml.provider.AbstractHostedProviderService Invalid signature for remote provider metadata https://engine.example.org/authentication/idp/metadata. Unable to trust.

I noticed that, despite the exception being raised, requests are still fired against EngineBlock, even with the exception message from OIDCng appended to the HTTP request!

Engineblock log:
May 25 12:29:10 sv1811043 EBLOG[1643]: [2020-05-25 12:29:10] app.NOTICE: [404]Unroutable URI: '/authentication/idp/metadata. Unable to trust.' {"session_id":null,"request_id":"5ecb9df5e8f27"} []

EB Apache log:
May 25 12:29:10 sv1811043 HTTPD-EB: 10.19.84.248 - - [25/May/2020:12:29:09 +0200] "GET /authentication/idp/metadata.%20Unable%20to%20trust. HTTP/1.1" 404 2567 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0"

While building oidcng with an OpenJDK 11 docker image I encountered an issues. With adding an missing dependency it is possible to both build oidcng with OpenJDK 8 and OpenJDK 11.