Re: [OAUTH-WG] OAuth Discovery

Mike Jones <> Thu, 26 November 2015 01:13 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F2D4C1A87B2 for <>; Wed, 25 Nov 2015 17:13:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kf1MLQY8mknb for <>; Wed, 25 Nov 2015 17:13:40 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D59171A87AE for <>; Wed, 25 Nov 2015 17:13:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1PPau+/ULIw8kZBJFdUeMCeD4QDCPc19XvpvGsrz8O8=; b=mAJsfuzF/OWeBuv1O+LBHXJVixW4qqwmRA8B73ecI+8c+XMppCZgWnTVAweqvwBF/jBJM4IhdoSsssrP++B84DXdxgse7YvyEW8LTl6oXHA9ufO9nzlsqgQrfdEp2EQixKpLd+qQ2Fb7I9ljvuP8YBywJD91hemDkCBi9VNvtQw=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.331.20; Thu, 26 Nov 2015 01:13:35 +0000
Received: from ([]) by ([]) with mapi id 15.01.0331.023; Thu, 26 Nov 2015 01:13:35 +0000
From: Mike Jones <>
To: John Bradley <>, William Denniss <>
Thread-Topic: [OAUTH-WG] OAuth Discovery
Thread-Index: AdEnv6MqmLA/Ph7MT4qJwfYSFGITHwAHfLyAAAIF0AAAAA2/IA==
Date: Thu, 26 Nov 2015 01:13:35 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:tM74bfeghdFYVZvtnLKK+PaMvJfjxEwmKREMF+nZYYRazKX4XZarZ69kPOkLmRiYgSTek+7lg3x6FiWI33/4mjtGuF0iCrEuudO/PMUnGQRxKSAFSiBZMF6P3Y1l/XVdnsd4tuq1ZeK4XNa3OFKRWQ==; 24:rb6pPg40mjUiYCfEl9UgezFaQ5KLb7eZymmQ/+CtmBqCxWrx3MBDqV8hnfvtGzmtO5826AXLyvmXlnG2B3/2CA30jWnFifw3lEM1U9yCT/A=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(211936372134217)(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(520078)(5005006)(8121501046)(3002001)(10201501046)(61426024)(61427024); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444;
x-forefront-prvs: 0772E5DAD5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(377454003)(189002)(199003)(51914003)(24454002)(99286002)(5004730100002)(8990500004)(2900100001)(19580405001)(19580395003)(105586002)(40100003)(87936001)(122556002)(66066001)(2950100001)(92566002)(106356001)(74316001)(11100500001)(86362001)(1096002)(19609705001)(19300405004)(86612001)(76176999)(101416001)(189998001)(81156007)(97736004)(5001770100001)(1220700001)(5001960100002)(10090500001)(76576001)(33656002)(5002640100001)(19625215002)(15395725005)(16236675004)(5008740100001)(5003600100002)(15975445007)(5005710100001)(10290500002)(77096005)(54356999)(10400500002)(586003)(19617315012)(6116002)(50986999)(790700001)(102836003)(3846002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4421A1D95F9415936C73C20F5040BY2PR03MB442namprd_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Nov 2015 01:13:35.6571 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] OAuth Discovery
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 26 Nov 2015 01:13:44 -0000

Thanks for the quick feedback, William.  I had almost finished writing similar comments to John’s when his reply came in. ;-)

Per your second questions, for the -00 draft, we intentionally didn’t invent any new functionality (other than adding revocation and introspection endpoint values).  Other means of obtaining the configuration information location can be added later, if there’s consensus to do so.  I’ll observe that if we want the authorization endpoint to return something additional, that may be more of an activity that revises RFC 6749 than a discovery spec activity.  If so, the 6749bis could specify that a URL for the discovery information be returned under specific circumstances.

John’s right that people should think about how to best describe the “issuer” value in a general OAuth context.  The spec currently says that this location is the root of .well-known resources for the authorization server.  That’s certainly true but maybe not completely intuitively appealing.  Your thoughts how to better describe this would be appreciated.

Happy Thanksgiving to all of you in the US!

                                                          -- Mike

From: John Bradley []
Sent: Wednesday, November 25, 2015 4:59 PM
To: William Denniss <>
Cc: Mike Jones <>;
Subject: Re: [OAUTH-WG] OAuth Discovery

On Nov 25, 2015, at 9:01 PM, William Denniss <<>> wrote:

Looks good. A few review notes:

Can we add a xref to the WebFinger spec (RFC7033) in section 2?
Yes that should be OK

Is the only way to discover the location of the discovery document via WebFinger?

In Yokohama we also talked about the AS returning the discovery document host (i.e. issuer) on the auth and token endpoints.  What are the reasons for choosing WebFinger over that method?

This is a first draft, that is close to the Connect Document.  It needs work, around what a issuer (AS identity) is in OAuth.   Some of the Webdinger stuff is strange without a specific API that you are looking for.   It would be odd to look for someone’s OAuth server.  I could see looking for a persons Photosharing service and getting directed to It’s AS discovery document assuming a well known API.

Nat has a spec on meta-data for the endpoint API.   The WG may elect to merge them or keep them separate.   It would be the endpoint meta-data (headers) that would point at the discovery document.

This is a start.

It looks like an IANA registry was not setup for OpenID Connect discovery params (at least, not in that spec). Is the registry established in designed to be a shared registry for OIDC/OAuth discovery? And if so, should we also register values defined in the OIDC discovery spec, e.g. “subject_types_supported"

I expect that like registration, OAuth would establish the registry and register an initial set, and then Connect would add connect specific claims to that registry once it is established.

John B.

On Wed, Nov 25, 2015 at 3:37 PM, Mike Jones <<>> wrote:
I’m pleased to announce that Nat Sakimura, John Bradley, and I have created an OAuth 2.0 Discovery specification.  This fills a hole in the current OAuth specification set that is necessary to achieve interoperability.  Indeed, the Interoperability section of OAuth 2.0 <> states:

In addition, this specification leaves a few required components partially or fully undefined (e.g., client registration, authorization server capabilities, endpoint discovery).  Without these components, clients must be manually and specifically configured against a specific authorization server and resource server in order to interoperate.

This framework was designed with the clear expectation that future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability.

This specification enables discovery of both endpoint locations and authorization server capabilities.

This specification is based upon the already widely deployed OpenID Connect Discovery 1.0<> specification and is compatible with it, by design.  The OAuth Discovery spec removes the portions of OpenID Connect Discovery that are OpenID specific and adds metadata values for Revocation and Introspection endpoints.  It also maps OpenID concepts, such as OpenID Provider, Relying Party, End-User, and Issuer to their OAuth underpinnings, respectively Authorization Server, Client, Resource Owner, and the newly introduced Configuration Information Location.  Some identifiers with names that appear to be OpenID specific were retained for compatibility purposes; despite the reuse of these identifiers that appear to be OpenID specific, their usage in this specification is actually referring to general OAuth 2.0 features that are not specific to OpenID Connect.

The specification is available at:

An HTML-formatted version is also available at:

                                                                -- Mike

P.S.  This note was also posted at and as @selfissued<>.

OAuth mailing list<>

OAuth mailing list<>