Aaron Parecki and I have published a draft of the “OAuth 2.0 Protected Resource Metadata” specification that addresses all the issues that we’re aware of. In particular, the updates address the comments received during the discussions at IETF 118. As described in the History entry for -02, the changes were:
- Switched from concatenating
.well-known
to the end of the resource identifier to inserting it between the host and path components of it. - Have
WWW-Authenticate
returnresource_metadata
rather thanresource
.
The specification is available at: