diff --git a/plugins/kolab_sso/README b/plugins/kolab_sso/README
index 0c130f3d..bad65b82 100644
--- a/plugins/kolab_sso/README
+++ b/plugins/kolab_sso/README
@@ -37,6 +37,18 @@ and on the provider side configured URI will be https://host/roundcubemail/sso.
 IMPLEMENTATION NOTES
 --------------------
 
+Specification: https://openid.net/specs/openid-connect-core-1_0.html
+
+Limitations:
+- OpenIDC Discovery and Dynamic Client Registration is not supported,
+- Authentication with Authorization Code Flow is the only one supported,
+- required grant types: authorization_code, refresh_token (for token refresh),
+- required claims: id_token,
+- required scopes: email, openid, offline_access (for token refresh),
+- endpoints used: token, authorization,
+- supported signature algorithms: HS256, HS385, HS512, RS256, RS384, RS512.
+- supported token endpoint auth methods: client_secret_basic, client_secret_post.
+
 [IMAP] Because Kolab backend do not support token authentication it is required
 to use master user (sasl proxy) authentication, i.e. you have to put
 master user credentials in plugin's config.
diff --git a/plugins/kolab_sso/config.inc.php.dist b/plugins/kolab_sso/config.inc.php.dist
index 17e643b5..0b0c61d9 100644
--- a/plugins/kolab_sso/config.inc.php.dist
+++ b/plugins/kolab_sso/config.inc.php.dist
@@ -45,7 +45,7 @@ $config['kolab_sso_options'] = array(
         // Token URI, if different than <uri>/token
         'token_uri' => 'https://kolab.eu.auth0.com/oauth/token',
         // Authorize URI, if different than <uri>/authorize
-        'authorize_uri' => 'https://kolab.eu.auth0.com/authorize',
+        'auth_uri' => 'https://kolab.eu.auth0.com/authorize',
         // Response URI, by default we use https://domain.tld/path?_task=login&_action=sso
         // Define it if the Provider does not allow above
         // to use https://domain.tld/path/<response_uri> instead
diff --git a/plugins/kolab_sso/drivers/openidc.php b/plugins/kolab_sso/drivers/openidc.php
index 2bb2ed2c..246f130e 100644
--- a/plugins/kolab_sso/drivers/openidc.php
+++ b/plugins/kolab_sso/drivers/openidc.php
@@ -53,7 +53,7 @@ class kolab_sso_openidc
 
         // TODO: Other params by config: display, prompt, max_age,
 
-        $url = $this->config['authorize_uri'] ?: (unslashify($this->config['uri']) . '/authorize');
+        $url = $this->config['auth_uri'] ?: (unslashify($this->config['uri']) . '/authorize');
         $url .= '?' . http_build_query($params);
 
         $this->plugin->debug("[{$this->id}][authorize] Redirecting to $url");
@@ -178,11 +178,11 @@ class kolab_sso_openidc
         $this->plugin->debug("[{$this->id}][$mode] Requesting POST $url?$post");
 
         try {
-            // TODO: HTTP Basic and JWT methods of client authentication
+            // TODO: JWT-based methods of client authentication
             // https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.9
 
             $request = $this->get_request($url, 'POST');
-//            $request->setAuth($this->config['client_id'], $this->config['client_secret']);
+            $request->setAuth($this->config['client_id'], $this->config['client_secret']);
             $request->setBody($post);
 
             $response = $request->send();