[OAUTH-WG] OAuth 2.0 Discovery Location

Samuel Erdtman <samuel@erdtman.se> Mon, 22 February 2016 06:11 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 0C2D01B355A for <oauth@ietfa.amsl.com>; Sun, 21 Feb 2016 22:11:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id rS5OlSHpSAe0 for <oauth@ietfa.amsl.com>; Sun, 21 Feb 2016 22:11:57 -0800 (PST)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E851C1B354F for <oauth@ietf.org>; Sun, 21 Feb 2016 22:11:56 -0800 (PST)
Received: by mail-qk0-x229.google.com with SMTP id s68so52200734qkh.3 for <oauth@ietf.org>; Sun, 21 Feb 2016 22:11:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:date:message-id:subject:from:to:content-type; bh=y9oz+XQYk/8vq66XddUQCMOic6oQNlT8Wz5WfnfBSU0=; b=Rejz34YFfiQvx/XjHnx3YrmFUVq3ZPVUF+mS2ieTK0OGEYbZ2OmEw4fvPFHorsoQyK SxylPt0FRU+sLkwmShttHBGhARssZMXQKl9VFXP7iYngc4i+pghJOaIRDztKOHTHz0JX l57YCVF00IdMyHbWL33yl5MoWoeyD95gm+NgfjmFPuukxjfRNYWl5/T9soSsyScfdm/k 6gPWA4+bMW2dm1Abh4i14lvNW4xFNfAifXUZ2uLkm6zdHj6m9UcClWaWhULwSeriPpJo tUkPNN5mCRsGe6Tp4cdeHtW9jmSrr8ATWj3VLDGB+Em4HV8mU3Bj/VrUkjNvLRQBQvPL ZXGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=y9oz+XQYk/8vq66XddUQCMOic6oQNlT8Wz5WfnfBSU0=; b=lvvKl3gNAsIgrmrMMWIet8o4aoM8ao8I4207O323y60lT1VnA8JBV26t5Azr5h+qMa WVaMZvY56FYZ4uZqVN319Ugm9DQaBcOLBbpufJCz9ASiA+FI1E+rwUbfMISEN/uqpxnf wL2CQ6B/YFpx3NzpqphzFkMsAu4R6ho+o8N1UTtjQM1qgFYTX+c4QCYj5a/4/CZyMBWI SasWyhuB/tKMNolwtjud+Am96k+pEEguH3xRt/BDZJ4quWRzrE/bKgr+VxGjf9Ga0G1U q09SlZQID4BX0QfLiLxoK627eP2WJctMUE/knOQvqnnrh0gV1G+mXu8ZvBGqEnjx/TR1 /uRQ==
X-Gm-Message-State: AG10YOSzATPaAl8Y8Ry7mXNEeDNCGdDKp1SyM3yE2/2G1hmUvIXbmXsbD5KouOhTcs7lN/qtQa0aGRLbY4vhow==
MIME-Version: 1.0
X-Received: by with SMTP id d12mr19500698qkh.53.1456121515393; Sun, 21 Feb 2016 22:11:55 -0800 (PST)
Received: by with HTTP; Sun, 21 Feb 2016 22:11:55 -0800 (PST)
Date: Mon, 22 Feb 2016 07:11:55 +0100
Message-ID: <CAF2hCbZhzACZKH3YJicNaSOkcSpXmQr94KgeFx6rZaFZmSkBPw@mail.gmail.com>
From: Samuel Erdtman <samuel@erdtman.se>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="001a11400594acdb8d052c55b528"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Z0LCBuvFDCQTd4xfwoddlbC2P7w>
Subject: [OAUTH-WG] OAuth 2.0 Discovery Location
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Feb 2016 06:11:59 -0000


Here coms some review comments, In general I think this is a good document.


2.  Authorization Server Metadata

token_endpoint, I would prefer if the requiredness of this parameter was
put in the beginning instead of the end as with the other parameters.

jwks_uri, I would like to change to recommended since this is not a
parameter required by the base OAuth 2.0 framework similar to

jwks_uri, It would be nice with a referens to the definition of jwks_uri.

jwks_uri, “When both signing and encryption keys are made available, a
"use" (public key use) parameter value is REQUIRED for all keys in the
referenced JWK Set to indicate each key's intended usage”
The text would be simpler if it just said that “use” always was required.
It would also be one less thing to argue about when it comes to
interoperability if it was always required.

response_types_supported, an example would be appreciated and maybe a
referees to the response type definition

response_types_supported, What is the difference between
response_types_supported and grant_types_supported, with a quick look they
seem very similar. Could it be enough with one of them?

revocation_endpoint_auth_signing_alg_values_supported and
token_endpoint_auth_signing_alg_values_supported, it would be good with a
reference to the definition of "private_key_jwt" and "client_secret_jwt"

token_endpoint_auth_methods_supported, why not refer to IANA registry for
"OAuth Token Endpoint Authentication Methods" under [IANA.OAuth.Parameters]
in the same way as with
introspection_endpoint_auth_signing_alg_values_supported and

3.  Obtaining Authorization Server Discovery Metadata
As also mentioned by Justin I think it is a bit confusing with the example
opened-configuration as .well-known/ postfix could it be made clearer that
it is ab example maybe by making "/.well-known/example-configuration" the
primary example.

5.  Compatibility Notes
”http://openid.net/specs/connect/1.0/issuer" is only used in this section,
maybe it should be removed?