Re: [OAUTH-WG] OAuth Discovery

Mike Jones <> Sat, 28 November 2015 04:05 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7B92C1A88D6 for <>; Fri, 27 Nov 2015 20:05:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 13H8ol7QbD_F for <>; Fri, 27 Nov 2015 20:05:48 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8DD1C1A88D5 for <>; Fri, 27 Nov 2015 20:05:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=YD8yh5/HR+Tepi/S57XnzCjeBBuZ0dlbqHjuO2OV6Ko=; b=A85Zxb9q9tKSPV3DarcclvWsZEPa84tVJSZ4M8zSs5GDsFOYZtPja6z+/YY1SRM12PlBzPyUjSNODZtRojwHOAjlvn23NH+AyID6mmMZ6EUIhdlQuXErtqgDWL4Skt5IzjkGOB9f41i/593h2ku4Eb6VtJxkQdmVU+WZBETCT54=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.331.20; Sat, 28 Nov 2015 04:05:46 +0000
Received: from ([]) by ([]) with mapi id 15.01.0331.023; Sat, 28 Nov 2015 04:05:46 +0000
From: Mike Jones <>
To: Bill Mills <>, "" <>
Thread-Topic: [OAUTH-WG] OAuth Discovery
Thread-Index: AdEnv6MqmLA/Ph7MT4qJwfYSFGITHwB0WHAAAAA37DA=
Date: Sat, 28 Nov 2015 04:05:45 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; BY2PR03MB442; 5:Goix8bNg6SmopfiGF9OIHHcT4pcPZWJXC5B2Df9uqcSh+HkT49mXb09Jid9xfHBDRMQMDTKM66eGwpYhXYeGJg52YFs76nd0uuEXMDBtR+h4IVMy6tyHulV8EoGsSaxJga1nxDu5Y0g8j6aXMfQiLw==; 24:Y0GWgHElcJZ6OAjj/QRw7Hw54a5h55eCi5RH5GL3rd17Y+wdLwE3JCnZDOOptSZuSP5ZxUghp2GOy01Rhs7U1OW24HGVBnePuLT9v8w2vJA=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB442;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(201166117486090)(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(8121501046)(5005006)(520078)(10201501046)(3002001)(61426024)(61427024); SRVR:BY2PR03MB442; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB442;
x-forefront-prvs: 07749F8C42
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(189002)(24454002)(199003)(377454003)(5001770100001)(92566002)(790700001)(54356999)(33656002)(66066001)(74316001)(2501003)(10090500001)(19617315012)(5008740100001)(15975445007)(11100500001)(15395725005)(86612001)(19580405001)(19580395003)(16236675004)(5004730100002)(1220700001)(87936001)(40100003)(2521001)(97736004)(2950100001)(77096005)(86362001)(19300405004)(101416001)(19609705001)(122556002)(5002640100001)(586003)(6116002)(5005710100001)(10400500002)(189998001)(81156007)(106356001)(105586002)(2900100001)(50986999)(5001960100002)(102836003)(76576001)(3846002)(76176999)(1096002)(10290500002)(107886002)(8990500004)(19625215002)(5003600100002)(99286002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB442;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442BDB413693994CA405044F5020BY2PR03MB442namprd_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Nov 2015 04:05:45.7125 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB442
Archived-At: <>
Subject: Re: [OAUTH-WG] OAuth Discovery
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 28 Nov 2015 04:05:51 -0000

It allows non-Connect implementation of OAuth 2.0 to also have a standard discovery capability – and one that can later be updated to also support OpenID Connect with no breaking changes, should that be desired in the future.

                                                          -- Mike

From: Bill Mills []
Sent: Friday, November 27, 2015 7:58 PM
To: Mike Jones <>;
Subject: Re: [OAUTH-WG] OAuth Discovery

Can you elaborate on the advantage of having a separate parallel spec to OpenID Discovery?

On Wednesday, November 25, 2015 3:37 PM, Mike Jones <<>> wrote:

I’m pleased to announce that Nat Sakimura, John Bradley, and I have created an OAuth 2.0 Discovery specification.  This fills a hole in the current OAuth specification set that is necessary to achieve interoperability.  Indeed, the Interoperability section of OAuth 2.0 <> states:

In addition, this specification leaves a few required components partially or fully undefined (e.g., client registration, authorization server capabilities, endpoint discovery).  Without these components, clients must be manually and specifically configured against a specific authorization server and resource server in order to interoperate.

This framework was designed with the clear expectation that future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability.

This specification enables discovery of both endpoint locations and authorization server capabilities.

This specification is based upon the already widely deployed OpenID Connect Discovery 1.0<> specification and is compatible with it, by design.  The OAuth Discovery spec removes the portions of OpenID Connect Discovery that are OpenID specific and adds metadata values for Revocation and Introspection endpoints.  It also maps OpenID concepts, such as OpenID Provider, Relying Party, End-User, and Issuer to their OAuth underpinnings, respectively Authorization Server, Client, Resource Owner, and the newly introduced Configuration Information Location.  Some identifiers with names that appear to be OpenID specific were retained for compatibility purposes; despite the reuse of these identifiers that appear to be OpenID specific, their usage in this specification is actually referring to general OAuth 2.0 features that are not specific to OpenID Connect.

The specification is available at:

An HTML-formatted version is also available at:

                                                                -- Mike

P.S.  This note was also posted at and as @selfissued<>.

OAuth mailing list<>