OAuth logoAaron Parecki and I have published a draft of the “OAuth 2.0 Protected Resource Metadata” specification that addresses all the issues that we’re aware of. In particular, the updates address the comments received during the discussions at IETF 118. As described in the History entry for -02, the changes were:

  • Switched from concatenating .well-known to the end of the resource identifier to inserting it between the host and path components of it.
  • Have WWW-Authenticate return resource_metadata rather than resource.

The specification is available at: