The OAuth 2.0 Protected Resource Metadata specification has been published as RFC 9728! This is certainly the longest that any RFC that I have worked on has taken from initial individual draft to RFC – August 2016 to April 2025 – 8 years and 8 months. As we discussed at the 2025 OAuth Security Workshop in Reykjavík:
Timing can be fickle. What may not be useful at one time can turn out to be useful later.
Per the abstract, here’s what it adds to the OAuth 2.0 family of specifications:
This specification defines a metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource.
It joins the OAuth 2.0 Dynamic Client Registration Protocol [RFC 7591] and OAuth 2.0 Authorization Server Metadata [RFC 8414] specifications, completing the set of metadata specifications for all three OAuth 2.0 roles.
I’m glad to have co-authored this one with long-time collaborator Phil Hunt and new collaborator Aaron Parecki. And I’m proud of the fact that all of my last five RFCs had a co-author for which it was their first RFC; in this case, it’s Aaron’s first RFC.
Congratulations, Aaron! It was a pleasure working on this with you.
Leave a Reply
You must be logged in to post a comment.