Hey!
We implemented the entire auth flow, following both the Oauth RFC and OpenAI documentation.
There is only something that remains unclear thought.
The documentation says that the Authorize endpoint (auth.client_url) will be called with the redirect_uri parameter formatted as follow: https://chat.openai.com/aip/<some_plugin_id>/oauth/callback
Our backend is going to verify that the redirect_uri matches the chat.openai.com domain.
However, should we also validate that the plugin_id corresponds to the ClientId entered during the plugin installation process, or trusting the domain of redirect_uri is enough?
Let me know if you need some clarification 
Thanks for your help folks.