Aaron Parecki and I published a new version the “OAuth 2.0 Protected Resource Metadata” specification that addresses the review comments received since the IETF Last Call. Per the history entries, the changes were:
- Added metadata values declaring support for DPoP and mutual-TLS client certificate-bound access tokens.
- Added missing word caught during IANA review.
- Addressed ART, SecDir, and OpsDir review comments by Arnt Gulbrandsen, David Mandelberg, and Bo Wu, resulting in the following changes:
- Added step numbers to sequence diagram.
- Defined meaning of omitting
bearer_methods_supported metadata
parameter. - Added internationalization of human-readable metadata values using the mechanism from [RFC7591].
- Added
resource_name
metadata parameter, parallelingclient_name
in [RFC7591]. - Added Security Considerations section on metadata caching.
- Used and referenced Resource Identifier definition.
- Added motivating example of an email client to intro.
The specification is available at: