Category: Claims Page 6 of 13

In response to working group input, this version of the OAuth Discovery specification has been pared down to its essence — leaving only the features that are already widely deployed. Specifically, all that remains is the definition of the authorization server discovery metadata document and the metadata values used in it. The WebFinger discovery logic has been removed. The relationship between the issuer identifier URL and the well-known URI path relative to it at which the discovery metadata document is located has also been clarified.

Given that this now describes only features that are in widespread deployment, the editors believe that this version is ready for working group last call.

The specification is available at:

• http://tools.ietf.org/html/draft-ietf-oauth-discovery-01

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-oauth-discovery-01.html

We have created the initial working group version of OAuth Discovery based on draft-jones-oauth-discovery-01, with no normative changes.

The specification is available at:

• http://tools.ietf.org/html/draft-ietf-oauth-discovery-00

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-oauth-discovery-00.html

The OAuth Discovery specification has been updated to add metadata values for revocation, introspection, and PKCE. Changes were:

• Added “revocation_endpoint_auth_methods_supported” and “revocation_endpoint_auth_signing_alg_values_supported” for the revocation endpoint.
• Added “introspection_endpoint_auth_methods_supported” and “introspection_endpoint_auth_signing_alg_values_supported” for the introspection endpoint.
• Added “code_challenge_methods_supported” for PKCE.

The specification is available at:

• http://tools.ietf.org/html/draft-jones-oauth-discovery-01

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-jones-oauth-discovery-01.html

I’m happy to report that a substantially revised OAuth 2.0 Token Exchange draft has been published that enables a broad range of use cases, while still remaining as simple as possible. This draft unifies the approaches taken in the previous working group draft and draft-campbell-oauth-sts, incorporating working group input from the in-person discussions in Prague and mailing list discussions. Thanks to all for your interest in and contributions to OAuth Token Exchange! Brian Campbell deserves special recognition for doing much of the editing heavy lifting for this draft.

The core functionality remains token type independent. That said, new claims are also defined to enable representation of delegation actors in JSON Web Tokens (JWTs). Equivalent claims could be defined for other token types by other specifications.

See the Document History section for a summary of the changes made. Please check it out!

The specification is available at:

• http://tools.ietf.org/html/draft-ietf-oauth-token-exchange-03

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-oauth-token-exchange-03.html

I’m pleased to announce that Nat Sakimura, John Bradley, and I have created an OAuth 2.0 Discovery specification. This fills a hole in the current OAuth specification set that is necessary to achieve interoperability. Indeed, the Interoperability section of OAuth 2.0 states:

In addition, this specification leaves a few required components partially or fully undefined (e.g., client registration, authorization server capabilities, endpoint discovery). Without these components, clients must be manually and specifically configured against a specific authorization server and resource server in order to interoperate.

This framework was designed with the clear expectation that future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability.

This specification enables discovery of both endpoint locations and authorization server capabilities.

This specification is based upon the already widely deployed OpenID Connect Discovery 1.0 specification and is compatible with it, by design. The OAuth Discovery spec removes the portions of OpenID Connect Discovery that are OpenID specific and adds metadata values for Revocation and Introspection endpoints. It also maps OpenID concepts, such as OpenID Provider, Relying Party, End-User, and Issuer to their OAuth underpinnings, respectively Authorization Server, Client, Resource Owner, and the newly introduced Configuration Information Location. Some identifiers with names that appear to be OpenID specific were retained for compatibility purposes; despite the reuse of these identifiers that appear to be OpenID specific, their usage in this specification is actually referring to general OAuth 2.0 features that are not specific to OpenID Connect.

The specification is available at:

• http://tools.ietf.org/html/draft-jones-oauth-discovery-00

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-jones-oauth-discovery-00.html