Re: [OAUTH-WG] OAuth 2.0 Discovery Location

[Vladimir Dzhuvinov <vladimir@connect2id.com>]

On 01/03/16 00:34, Brian Campbell wrote:
> +1 for "OAuth 2.0 Authorization Server Discovery” from those two options.
>
> But what about "OAuth 2.0 Authorization Server Metadata”?
>
> The document in its current scope (which I agree with, BTW) isn't really
> about discovery so much as about describing the metadata at some
> well-known(ish) resource.

This sounds even more precise. The updated draft no longer mentions how
the client arrives at the AS metadata URL, just its format and
parameters. So the discovery bit is essentially gone from it.

Because if we take the OIDC definition of discovery, then

"OpenID Provider Issuer discovery is the process of determining the
location of the OpenID Provider."

(from
http://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery )

So the draft has been reduced to mimicking sections 3 and 4 of OIDC
Discovery:

3.  OpenID Provider Metadata ->
http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
4.  Obtaining OpenID Provider Configuration Information ->
http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

I would like to vote for "OAuth 2.0 Authorization Server Metadata”


Cheers,

Vladimir


> On Sat, Feb 27, 2016 at 10:48 AM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
>> It’s clear that people want us to move to the name “OAuth 2.0
>> Authorization Server Discovery”.  The editors will plan to make that
>> change in the draft addressing Working Group Last Call comments.
>>
>>
>>
>>                                                           Thanks all,
>>
>>                                                           -- Mike
>>
>>
>>
>> *From:* Samuel Erdtman [mailto:samuel@erdtman.se]
>> *Sent:* Saturday, February 27, 2016 6:47 AM
>> *To:* Mike Jones <Michael.Jones@microsoft.com>
>> *Cc:* Vladimir Dzhuvinov <vladimir@connect2id.com>; oauth@ietf.org
>>
>> *Subject:* Re: [OAUTH-WG] OAuth 2.0 Discovery Location
>>
>>
>>
>> +1 for “OAuth 2.0 Authorization Server Discovery”
>>
>>
>>
>> //Samuel
>>
>>
>>
>> On Thu, Feb 25, 2016 at 8:10 PM, Mike Jones <Michael.Jones@microsoft.com>
>> wrote:
>>
>> Thanks for your thoughts, Vladimir.  I’m increasingly inclined to accept
>> your suggestion to change the title from “OAuth 2.0 Discovery” to “OAuth
>> 2.0 Authorization Server Discovery”.  While the abstract already makes it
>> clear that the scope of the document is AS discovery, doing so in the title
>> seems like it could help clarify things, given that a lot of the discussion
>> seems to be about resource discovery, which is out of scope of the document.
>>
>>
>>
>> I’m not saying that resource discovery isn’t important – it is – but
>> unlike authorization server discovery, where there’s lots of existing
>> practice, including using the existing data format for describing OAuth
>> implementations that aren’t being used with OpenID Connect, there’s no
>> existing practice to standardize for resource discovery.  The time to
>> create a standard for that seems to be after existing practice has
>> emerged.  It **might** or might not use new metadata values in the AS
>> discovery document, but that’s still to be determined.  The one reason to
>> leave the title as-is is that resource discovery might end up involving
>> extensions to this metadata format in some cases.
>>
>>
>>
>> I think an analogy to the core OAuth documents RFC 6749 and RFC 6750
>> applies.  6749 is about the AS.  6750 is about the RS.  The discovery
>> document is about the AS.  We don’t yet have a specification or existing
>> practice for RS discovery, which would be the 6750 analogy.
>>
>>
>>
>> In summary, which title do people prefer?
>>
>> ·       “OAuth 2.0 Discovery”
>>
>> ·       “OAuth 2.0 Authorization Server Discovery”
>>
>>
>>
>>              <OAuth@ietf.org>
>>
>>
>>
>>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth