Category: JSON Page 4 of 12

The IETF OAuth working group decided at IETF 97 to proceed with standardizing the OAuth Authorization Server Metadata specification, which is already in widespread use, and to stop work on the OAuth Protected Resource Metadata specification, which is more speculative. Accordingly, a new version of the AS Metadata spec has been published that removes its dependencies upon the Resource Metadata spec. In particular, the “protected_resources” AS Metadata element has been removed. Its definition has been moved to the Resource Metadata spec for archival purposes. Note that the Resource Metadata specification authors intend to let it expire unless the working group decides to resume work on it at some point in the future.

The specifications are available at:

• https://tools.ietf.org/html/draft-ietf-oauth-discovery-05
• https://tools.ietf.org/html/draft-jones-oauth-resource-metadata-01

HTML-formatted versions are also available at:

• https://self-issued.info/docs/draft-ietf-oauth-discovery-05.html
• https://self-issued.info/docs/draft-jones-oauth-resource-metadata-01.html

The existing OAuth 2.0 Authorization Server Metadata specification has now been joined by a related OAuth 2.0 Protected Resource Metadata specification. This means that JSON metadata formats are now defined for all the OAuth 2.0 parties: clients, authorization servers, and protected resources.

The most significant addition to the OAuth 2.0 Authorization Server Metadata specification is enabling signed metadata, represented as claims in a JSON Web Token (JWT). This is analogous to the role that the Software Statement plays in OAuth Dynamic Client Registration. Signed metadata can also be used for protected resource metadata.

For use cases in which the set of protected resources used with an authorization server are enumerable, the authorization server metadata specification now defines the “protected_resources” metadata value to list them. Likewise, the protected resource metadata specification defines an “authorization_servers” metadata value to list the authorization servers that can be used with a protected resource, for use cases in which those are enumerable.

The specifications are available at:

• http://tools.ietf.org/html/draft-ietf-oauth-discovery-04
• http://tools.ietf.org/html/draft-jones-oauth-resource-metadata-00

HTML-formatted versions are also available at:

• https://self-issued.info/docs/draft-ietf-oauth-discovery-04.html
• https://self-issued.info/docs/draft-jones-oauth-resource-metadata-00.html

A new draft of “OAuth 2.0 Token Exchange” has been published addressing review comments on the prior draft. The changes from -03 are listed here:

• Clarified that the “resource” and “audience” request parameters can be used at the same time (via http://www.ietf.org/mail-archive/web/oauth/current/msg15335.html).
• Clarified subject/actor token validity after token exchange and explained a bit more about the recommendation to not issue refresh tokens (via http://www.ietf.org/mail-archive/web/oauth/current/msg15318.html).
• Updated the examples appendix to use an issuer value that doesn’t imply that the client issued and signed the tokens and used “Bearer” and “urn:ietf:params:oauth:token-type:access_token” in one of the responses (via http://www.ietf.org/mail-archive/web/oauth/current/msg15335.html).
• Defined and registered urn:ietf:params:oauth:token-type:id_token, since some use cases perform token exchanges for ID Tokens and no URI to indicate that a token is an ID Token had previously been defined.

The specification is available at:

• http://tools.ietf.org/html/draft-ietf-oauth-token-exchange-04

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-oauth-token-exchange-04.html

Thanks to Brian Campbell for doing most of the edits for this release.

In response to working group input, this version of the OAuth Discovery specification has been pared down to its essence — leaving only the features that are already widely deployed. Specifically, all that remains is the definition of the authorization server discovery metadata document and the metadata values used in it. The WebFinger discovery logic has been removed. The relationship between the issuer identifier URL and the well-known URI path relative to it at which the discovery metadata document is located has also been clarified.

Given that this now describes only features that are in widespread deployment, the editors believe that this version is ready for working group last call.

The specification is available at:

• http://tools.ietf.org/html/draft-ietf-oauth-discovery-01

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-oauth-discovery-01.html

We have created the initial working group version of OAuth Discovery based on draft-jones-oauth-discovery-01, with no normative changes.

The specification is available at:

• http://tools.ietf.org/html/draft-ietf-oauth-discovery-00

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-oauth-discovery-00.html

The OAuth Discovery specification has been updated to add metadata values for revocation, introspection, and PKCE. Changes were:

• Added “revocation_endpoint_auth_methods_supported” and “revocation_endpoint_auth_signing_alg_values_supported” for the revocation endpoint.
• Added “introspection_endpoint_auth_methods_supported” and “introspection_endpoint_auth_signing_alg_values_supported” for the introspection endpoint.
• Added “code_challenge_methods_supported” for PKCE.

The specification is available at:

• http://tools.ietf.org/html/draft-jones-oauth-discovery-01

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-jones-oauth-discovery-01.html