Aaron Parecki and I have published a draft of the “OAuth 2.0 Protected Resource Metadata” specification that addresses all the issues that we’re aware of. In particular, the updates address the comments received during the discussions at IETF 118. As described in the History entry for -02, the changes were:
- Switched from concatenating
.well-knownto the end of the resource identifier to inserting it between the host and path components of it. - Have
WWW-Authenticatereturnresource_metadatarather thanresource.
The specification is available at: