Re: [OAUTH-WG] OAuth 2.0 Authorization Server Metadata is now RFC 8414
William Denniss <wdenniss@google.com> Thu, 28 June 2018 23:15 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B33A0130E37 for <oauth@ietfa.amsl.com>; Thu, 28 Jun 2018 16:15:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.509
X-Spam-Level:
X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XhILUl_Qvm0L for <oauth@ietfa.amsl.com>; Thu, 28 Jun 2018 16:15:23 -0700 (PDT)
Received: from mail-ua0-x241.google.com (mail-ua0-x241.google.com [IPv6:2607:f8b0:400c:c08::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40762130E2E for <oauth@ietf.org>; Thu, 28 Jun 2018 16:15:23 -0700 (PDT)
Received: by mail-ua0-x241.google.com with SMTP id z4-v6so3820540uao.12 for <oauth@ietf.org>; Thu, 28 Jun 2018 16:15:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=LH59EU8xxVFsljs/ucnDTNdrAYVuO7K97pvJUWClOMo=; b=ka1f/wjUA6S12ng1dpX4+I4W2Lh/jHYwl3iy12xlidEiQZZDt5ziN6XG+VbaA8oVwJ pTIZZGVpUq/Lja6oDctJkJppqSV2d5EVLNhnAjJI/Z4k+Ihz4h8/vhATn5us+PtRMDnj wND1r5u9t2/LCQJpUkF+Df6K99YNINfx+yorxDkfLisMlKaTdmB0d9d0vf59mDFe/iiP QQKQQOfcuFe4Mb/piMwPdFFH8FQlSsRXKZOEXqdqk93xQpXhdN0cgE95Gz18RwFEfjJc SHbueMZvexKwV7DHVknmki8Ju/NZk425W4SwZILwcfW3L5qSbXsW5JBgd5omeymsAtE6 s6Fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=LH59EU8xxVFsljs/ucnDTNdrAYVuO7K97pvJUWClOMo=; b=H+9lemts7tgw4WEl45GYS310PxafPfmmZeizpbYy4GeUeC0BO/FswsI/m99ahP4xI/ 7ltgNLiDGWLvOh7wccHAjgPl6eB5GkBjHjySbUd72eTexQyMa79DxBmMx0oArlIdTT8Y Ji9PsLlKEAntSVaUej3C8gTSDERBkmClVM/xkiHJ4nZUm50RDDGfRu2g9jtCW64xPqpk nPJgliL2H+P+bDsFuxYuFLGTqIe4SFBL8qRCH4DSeGtLCuYDcxY6asDOLd1Yj7VWuoW7 4nye/8K4U6rUK7oX4pmwTK8ZvQ65bclR+mV+P3C8VL4DZj5TvVoG1wu6twDTntfqAcTa FoNw==
X-Gm-Message-State: APt69E0gt43XWeQx8pm4OzZ6aKIivxq6T09bFamyMpY+DJbYmatkE/uM MsEeQqo/HNA7+qRjjg50NpH3BDXgUEFXlLFEP3bEolEo
X-Google-Smtp-Source: AAOMgpefLgIhRl31P01FnQ10L5DeUIkmk5D7xE6gWZ7mWtQuiA4uRwRLwiTYLqk8Gqj9WTvu32jok/32569kmIiznR8=
X-Received: by 2002:ab0:2157:: with SMTP id t23-v6mr7827037ual.108.1530227721828; Thu, 28 Jun 2018 16:15:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab0:6383:0:0:0:0:0 with HTTP; Thu, 28 Jun 2018 16:15:01 -0700 (PDT)
In-Reply-To: <BL0PR00MB0292114ED161717408E72C46F54F0@BL0PR00MB0292.namprd00.prod.outlook.com>
References: <BL0PR00MB0292114ED161717408E72C46F54F0@BL0PR00MB0292.namprd00.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 28 Jun 2018 16:15:01 -0700
Message-ID: <CAAP42hCe0OjyP=OeXkqU0K5a69A5NDs8w260=OT+sYcTKpearw@mail.gmail.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c99d14056fbbe7ca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2y6-387TleBUSHV2ZkrSTyb4hGY>
Subject: Re: [OAUTH-WG] OAuth 2.0 Authorization Server Metadata is now RFC 8414
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jun 2018 23:15:26 -0000
Congratulations! Really glad that we have an RFC specifying how servers should provide their configuration data in machine readable form. Helps with developer experience (less manual configuration), as well as mitigating mix-up attacks (better association of related endpoints), amongst other benefits. I'm happy to say that the AppAuth clients support RFC 8414, through discovery methods that take a complete URL <https://github.com/openid/AppAuth-iOS/blob/1dae3a1df4de33b844284dce545c71ff0d3582ad/Source/OIDAuthorizationService.h#L111-L112>, in addition to the issuer-based ones designed for OIDC usage. On Thu, Jun 28, 2018 at 3:54 PM, Mike Jones < Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote: > The OAuth 2.0 Authorization Server Metadata specification is now RFC 8414 > <https://www.rfc-editor.org/rfc/rfc8414.txt>. The abstract describes the > specification as: > > > > This specification defines a metadata format that an OAuth 2.0 client can > use to obtain the information needed to interact with an OAuth 2.0 > authorization server, including its endpoint locations and authorization > server capabilities. > > > > The specification defines a JSON metadata representation for OAuth 2.0 > authorization servers that is compatible with OpenID Connect Discovery 1.0 > <http://openid.net/specs/openid-connect-discovery-1_0.html>. This > specification is a true instance of standardizing existing practice. OAuth > 2.0 deployments have been using the OpenID Connect metadata format to > describe their endpoints and capabilities for years. This RFC makes this > existing practice a standard. > > > > Having a standard OAuth metadata format makes it easier for OAuth clients > to configure connections to OAuth authorization servers. See > https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml# > authorization-server-metadata for the initial set of registered metadata > values. > > > > Thanks to all of you who helped make this standard a reality! > > > > -- Mike > > > > P.S. This announcement was also posted at http://self-issued.info/?p=1883 > and as @selfissued <https://twitter.com/selfissued>. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- Re: [OAUTH-WG] OAuth 2.0 Authorization Server Met… David Blevins
- Re: [OAUTH-WG] OAuth 2.0 Authorization Server Met… Phil Hunt
- Re: [OAUTH-WG] OAuth 2.0 Authorization Server Met… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.0 Authorization Server Met… William Denniss
- [OAUTH-WG] OAuth 2.0 Authorization Server Metadat… Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Authorization Server Met… Samuel Erdtman