Aaron Parecki and I have updated the “OAuth 2.0 Protected Resource Metadata” specification in preparation for presentation and discussions at IETF 118 in Prague. The updates address comments received during the discussions at IETF 117 and afterwards. As described in the History entry, the changes were:
- Renamed
scopes_provided
toscopes_supported
- Added security consideration for
scopes_supported
- Use BCP 195 for TLS recommendations
- Clarified that resource metadata can be used by clients and authorization servers
- Added security consideration recommending audience-restricted access tokens
- Mention FAPI Message Signing as a use case for publishing signing keys
- Updated references
The specification is available at:
Leave a Reply
You must be logged in to post a comment.