Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE

Mike Jones <> Fri, 29 January 2016 23:22 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4D83C1ACCF3 for <>; Fri, 29 Jan 2016 15:22:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e4JH6GtJpylJ for <>; Fri, 29 Jan 2016 15:22:41 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fc10::1:744]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 910B91ACD4B for <>; Fri, 29 Jan 2016 15:22:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=mqFUGbSD4Qk/xAXRp3TPo/qCuNriBrDZjSm1p6xxcFY=; b=bWPmUWpAjyawzPjJToIQbHyaO1zCFg7OZVJcHcz+J2w+e2JAVtCLDQZfuZANCb5whiYBnnnTBVREiMRdVTlkKQpypIXOpwMv1Pg1zi/nnARn+n7zwAthYUhyidNWbeMkOcXK0CdwmzD66B2YzWuGJnroYaatOx9Do3iCRxudhVM=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.396.15; Fri, 29 Jan 2016 23:22:21 +0000
Received: from ([]) by ([]) with mapi id 15.01.0396.017; Fri, 29 Jan 2016 23:22:21 +0000
From: Mike Jones <>
To: John Bradley <>, Nat Sakimura <>
Thread-Topic: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE
Date: Fri, 29 Jan 2016 23:22:21 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: []
x-ms-office365-filtering-correlation-id: d179dda7-ebe2-4875-e2a7-08d3290309e7
x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:59BKmi2Ic8iJlpDEIXEWyANIV5BX8h09+7YRgNdGEuGbqWOoLdmkpgRGfHH87GXFzjywD7Hp/j4635akZJYj3X4u8uAgWWMQypOX29T4FWFO3TdILnVe4QpHlBRNyENVndNHIlXVlVBICcLDm1PwCg==; 24:giEXMxa21pbdUOqFpLzzBHWYQmv4yhMmPysnRViDweUxtMPkeXno4esPuSPbfaCSdrf5NSwSs0Y2zDn/MGBN0P7x8Xf466Tn2/O6cexJj4Y=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(61426038)(61427038); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441;
x-forefront-prvs: 083691450C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(24454002)(377454003)(479174004)(92566002)(99286002)(3280700002)(2906002)(5003600100002)(76576001)(86362001)(15975445007)(5002640100001)(790700001)(3846002)(3660700001)(4326007)(5004730100002)(1220700001)(93886004)(1096002)(10090500001)(6116002)(586003)(102836003)(2950100001)(77096005)(3470700001)(11100500001)(40100003)(19617315012)(19609705001)(33656002)(5008740100001)(19300405004)(10290500002)(2900100001)(10400500002)(5005710100001)(122556002)(50986999)(54356999)(74316001)(76176999)(19625215002)(189998001)(561944003)(19580405001)(87936001)(5001960100002)(86612001)(16236675004)(66066001)(19580395003)(5001770100001)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441;; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4429A6A763D5A283FC09B70F5DB0BY2PR03MB442namprd_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jan 2016 23:22:21.4548 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 Jan 2016 23:22:46 -0000

Do the PKCE authors want to make a concrete proposal for how to represent this in discovery metadata?

From: OAuth [] On Behalf Of John Bradley
Sent: Friday, January 29, 2016 6:11 AM
To: Nat Sakimura <>
Subject: Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE

The only problem with that is the client may only require it for some types of clients (public) or response types.

It may need to be finer grained than that, or define it as required for all public clients using the token endpoint.

John B.

On Jan 29, 2016, at 10:15 AM, Nat Sakimura <<>> wrote:

Good question.

It's probably a good idea to be able to advertise this policy in the discovery.

Perhaps in the line of

pkce_required or rfc7636_required?
The value should be Boolean.

Nat from iPhone

2016年1月29日(金) 21:23 Vladimir Dzhuvinov <<>>:
Thanks Mike, the updated spec looks good!

I have a question related to PKCE:

The PKCE spec seems to imply that an AS may require public clients to use a code challenge:

If an AS has such a policy in place, how is this to be advertised? Or is that supposed to the enforced when the client gets registered (there are no reg params for that at present)?

On 28/01/16 19:27, Mike Jones wrote:

The OAuth Discovery specification has been updated to add metadata values for revocation<><>, introspection<><>, and PKCE<><>.  Changes were:

*       Added "revocation_endpoint_auth_methods_supported" and "revocation_endpoint_auth_signing_alg_values_supported" for the revocation endpoint.

*       Added "introspection_endpoint_auth_methods_supported" and "introspection_endpoint_auth_signing_alg_values_supported" for the introspection endpoint.

*       Added "code_challenge_methods_supported" for PKCE.

The specification is available at:


An HTML-formatted version is also available at:


                                                          -- Mike

P.S.  This note was also published at and as @selfissued<><>.


OAuth mailing list<>


Vladimir Dzhuvinov
OAuth mailing list<>
OAuth mailing list<>