Re: [OAUTH-WG] OAuth Discovery

Bill Mills <> Sat, 28 November 2015 03:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C38CD1A88C1 for <>; Fri, 27 Nov 2015 19:58:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.084
X-Spam-Status: No, score=-0.084 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7TW8ZngU4A1E for <>; Fri, 27 Nov 2015 19:58:22 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3A90E1A88BD for <>; Fri, 27 Nov 2015 19:58:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1448683101; bh=nyBnd4QrrgLBekiyoOYu9Cby+c+36DsVWK1QjgIfS14=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=jx/u1OI8NGmWXdZEOixg0103PNLWQuGKSwGo/clzV2/7XLvaT4gLLxyT6x6dX3iqwYCedani3Vzk3pFD8UWlHW8sIoYPUaToYgSB/QXFIwfCIw+1zrWxHIDbzX4OjkrdAGjKS3IhVI7pEM5eMysVJAP3tEeCsRNxFO/YEclqDUT5Al35hP00ZanIPePg4Nu2kv1UeNFR6XOiK1B2ek8yXUXUkLF6MBCXgx1Rc69lc8fZp7q9FqU/ktudNr6TwJZwIfsWcUy6IP14gevG6/iI0JdZd809iKV6kqq0dMN26A9B7whBl14pT9rUNUVGeKAwYaTdDili0QMBWdjBmgH5Rg==
Received: from [] by with NNFMP; 28 Nov 2015 03:58:21 -0000
Received: from [] by with NNFMP; 28 Nov 2015 03:58:21 -0000
Received: from [] by with NNFMP; 28 Nov 2015 03:58:21 -0000
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: AbrpowUVM1l9LNloPqKFslkx1S6SDQklFXRc_zPHf646WVkg4xFJ6_hcmX0CLms 6eJYZQ4_mN.CbdStS0gHootTfYlktLHdJEqU4W3rxMeXXEer9i1soe.NvqXvBEQB335xK68pARzk 5gnYKIHiYy0FpbpY3.yTSX43grXMS2pm7SsJsZSaen_zZeISn7lKEmbPSIYoP2gdhhYV2j0Wc3iK fIQLFRIj2CtXWoGEM6SeUTT3R_6Ka6123aaaoBqkfRpGtfwdHdLa7d17CAe6e9JxUgMy7T1NKepZ 3GLrwp1T2Lb4MfCXczjL1sK78Qe2RWPVKF3I7CYGTIq6sdr8ApNicrVHt2TMCOjsSHP7_PV56lVz ao1NDGMhLgI_NUq8RsZ8dQ7AQKiz5Wc63SKjiLz9Rxm1iP0N1BMexCFgzbcDERXE2KKXikM6MX1X VkDg9du7PzYWB5WMlMbKr9CXsss47vDLSeiRePQiUQHjKyBYcSn.JKSUN3B36ZWDwR0SJsmAmd0o gR.yV1oAN11l2h511oEIptES79AsAyFJ7iY.X6j0G1JhmdQ--
Received: by; Sat, 28 Nov 2015 03:58:20 +0000
Date: Sat, 28 Nov 2015 03:58:20 +0000
From: Bill Mills <>
To: Mike Jones <>, "" <>
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_11963057_983591253.1448683100359"
Archived-At: <>
Subject: Re: [OAUTH-WG] OAuth Discovery
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 28 Nov 2015 03:58:24 -0000

Can you elaborate on the advantage of having a separate parallel spec to OpenID Discovery? 

    On Wednesday, November 25, 2015 3:37 PM, Mike Jones <> wrote:

  <!--#yiv2101860304 _filtered #yiv2101860304 {font-family:Wingdings;panose-1:5 0 0 0 0 0 0 0 0 0;} _filtered #yiv2101860304 {font-family:"Cambria Math";panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv2101860304 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv2101860304 {font-family:"Segoe UI";panose-1:2 11 5 2 4 2 4 2 2 3;}#yiv2101860304 #yiv2101860304 p.yiv2101860304MsoNormal, #yiv2101860304 li.yiv2101860304MsoNormal, #yiv2101860304 div.yiv2101860304MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri", sans-serif;}#yiv2101860304 a:link, #yiv2101860304 span.yiv2101860304MsoHyperlink {color:#0563C1;text-decoration:underline;}#yiv2101860304 a:visited, #yiv2101860304 span.yiv2101860304MsoHyperlinkFollowed {color:#954F72;text-decoration:underline;}#yiv2101860304 pre {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;font-family:"Courier New";}#yiv2101860304 p.yiv2101860304MsoListParagraph, #yiv2101860304 li.yiv2101860304MsoListParagraph, #yiv2101860304 div.yiv2101860304MsoListParagraph {margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri", sans-serif;}#yiv2101860304 span.yiv2101860304EmailStyle17 {font-family:"Calibri", sans-serif;color:windowtext;}#yiv2101860304 span.yiv2101860304HTMLPreformattedChar {font-family:"Courier New";}#yiv2101860304 span.yiv2101860304grey {}#yiv2101860304 .yiv2101860304MsoChpDefault {} _filtered #yiv2101860304 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv2101860304 div.yiv2101860304WordSection1 {}#yiv2101860304 _filtered #yiv2101860304 {} _filtered #yiv2101860304 {font-family:Symbol;} _filtered #yiv2101860304 {font-family:"Courier New";} _filtered #yiv2101860304 {font-family:Wingdings;} _filtered #yiv2101860304 {font-family:Symbol;} _filtered #yiv2101860304 {font-family:"Courier New";} _filtered #yiv2101860304 {font-family:Wingdings;} _filtered #yiv2101860304 {font-family:Symbol;} _filtered #yiv2101860304 {font-family:"Courier New";} _filtered #yiv2101860304 {font-family:Wingdings;}#yiv2101860304 ol {margin-bottom:0in;}#yiv2101860304 ul {margin-bottom:0in;}-->I’m pleased to announce that Nat Sakimura, John Bradley, and I have created an OAuth 2.0 Discovery specification.  This fills a hole in the current OAuth specification set that is necessary to achieve interoperability.  Indeed, theInteroperability section of OAuth 2.0states: In addition, this specification leaves a few required components partially or fully undefined (e.g., client registration, authorization server capabilities, endpoint discovery).  Without these components, clients must be manually and specifically configured against a specific authorization server and resource server in order to interoperate.    This framework was designed with the clear expectation that future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability.    This specification enables discovery of both endpoint locations and authorization server capabilities.    This specification is based upon the already widely deployedOpenID Connect Discovery 1.0 specification and is compatible with it, by design.  The OAuth Discovery spec removes the portions of OpenID Connect Discovery that are OpenID specific and adds metadata values for Revocation and Introspection endpoints.  It also maps OpenID concepts, such as OpenID Provider, Relying Party, End-User, and Issuer to their OAuth underpinnings, respectively Authorization Server, Client, Resource Owner, and the newly introduced Configuration Information Location.  Some identifiers with names that appear to be OpenID specific were retained for compatibility purposes; despite the reuse of these identifiers that appear to be OpenID specific, their usage in this specification is actually referring to general OAuth 2.0 features that are not specific to OpenID Connect.    The specification is available at: ·    An HTML-formatted version is also available at: ·                                                                    -- Mike    P.S.  This note was also posted at and as @selfissued. 
OAuth mailing list