[OAUTH-WG] OAuth 2.0 Discovery Location

Justin Richer <jricher@MIT.EDU> Fri, 19 February 2016 21:59 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41A311B2CE9 for <oauth@ietfa.amsl.com>; Fri, 19 Feb 2016 13:59:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.207
X-Spam-Level:
X-Spam-Status: No, score=-4.207 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7S4t1dmm2EiD for <oauth@ietfa.amsl.com>; Fri, 19 Feb 2016 13:59:37 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B159D1B2C87 for <oauth@ietf.org>; Fri, 19 Feb 2016 13:59:35 -0800 (PST)
X-AuditID: 12074425-51bff70000000210-72-56c790436849
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 6D.CA.00528.34097C65; Fri, 19 Feb 2016 16:59:32 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id u1JLxVcr022234 for <oauth@ietf.org>; Fri, 19 Feb 2016 16:59:31 -0500
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u1JLxUtB018826 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Fri, 19 Feb 2016 16:59:31 -0500
From: Justin Richer <jricher@MIT.EDU>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-Id: <E3BDAD5F-6DE2-4FB9-AEC0-4EE2D2BF8AC8@mit.edu>
Date: Fri, 19 Feb 2016 16:59:32 -0500
To: "<oauth@ietf.org>" <oauth@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
X-Mailer: Apple Mail (2.2104)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrFIsWRmVeSWpSXmKPExsUixG6nousy4XiYwYvZTBYn375ic2D0WLLk J1MAYxSXTUpqTmZZapG+XQJXxryWbqaCXewVv25kNDAuYOti5OSQEDCRuPXkInMXIxeHkEAb k8SP9kMsEM4xRom/r14zQjjfmCTWdP1hBGlhE1CVmL/yFhOIzSygLvFn3iVmCFtbYtnC12C2 MFDN9G8fWEBsXgEriS3dF9hBbBag+KfOnawgtghQ75rzP5kgavQkXt26zApxkqzE7t+PmCYw 8s5CsmIWkhWzkLQsYGRexSibklulm5uYmVOcmqxbnJyYl5dapGuhl5tZopeaUrqJERxMLqo7 GCccUjrEKMDBqMTDeyP5eJgQa2JZcWXuIUZJDiYlUd6USqAQX1J+SmVGYnFGfFFpTmrxIUYJ DmYlEd79vUA53pTEyqrUonyYlDQHi5I4b8zNo2FCAumJJanZqakFqUUwWRkODiUJ3tn9QI2C RanpqRVpmTklCGkmDk6Q4TxAw5NBaniLCxJzizPTIfKnGHU5Fvy4vZZJiCUvPy9VSpzXAKRI AKQoozQPbg4oCSS8PWz6ilEc6C1h3rcgVTzABAI36RXQEiagJfemHQNZUpKIkJJqYIwOd30+ qzzm56z3C7bN2vhqg/uywF/SQvLRxfOWxZ694tnBtPVEWr/31+psP42z1dOevjjwlTu49sGb 0sfnuUvisibx/tZacDr4Kk/s62uzrB5/5GI/bvTKKj9z29L5qR/N/xk7nudylZaa8Lo3PMv0 JkPfHwfZwFTuLVP0D851ecmoy8x7jlGJpTgj0VCLuag4EQA77w5Y3QIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/NP5OSijkM_SxIHNO3IaGFnJP_dQ>
Subject: [OAUTH-WG] OAuth 2.0 Discovery Location
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2016 21:59:40 -0000

The newly-trimmed OAuth Discovery document is helpful and moving in the right direction. It does, however, still have too many vestiges of its OpenID Connect origins. One issue in particular still really bothers me: the use of “/.well-known/openid-configuration” in the discovery portion. Is this an OAuth discovery document, or an OpenID Connect one? There is absolutely no compelling reason to tie the URL to the OIDC discovery mechanism.

I propose that we use “/.well-known/oauth-authorization-server” as the default discovery location, and state that the document MAY also be reachable from “/.well-known/openid-configuration” if the server also provides OpenID Connect on the same domain. Other applications SHOULD use the same parameter names to describe OAuth endpoints and functions inside their service-specific discovery document. 

 — Justin