New OAuth 2.0 discovery draft
The OAuth work group has just published a new draft for OAuth 2.0 server discovery. The spec essentially mimics OpenID Connect Discovery, without the OpenID stuff.
It defines a WebFinger query for resolving the OAuth 2.0 server for a user given some input identifier (typically email) and then obtaining a JSON document detailing the server's endpoints and capabilities.
Example OAuth 2.0 server metadata:
HTTP/1.1 200 OK
Content-Type: application/json
{
"issuer":
"https://server.example.com",
"authorization_endpoint":
"https://server.example.com/connect/authorize",
"token_endpoint":
"https://server.example.com/connect/token",
"token_endpoint_auth_methods_supported":
["client_secret_basic", "private_key_jwt"],
"token_endpoint_auth_signing_alg_values_supported":
["RS256", "ES256"],
"userinfo_endpoint":
"https://server.example.com/connect/userinfo",
"jwks_uri":
"https://server.example.com/jwks.json",
"registration_endpoint":
"https://server.example.com/connect/register",
"scopes_supported":
["openid", "profile", "email", "address", "phone", "offline_access"],
"response_types_supported":
["code", "code token"],
"service_documentation":
"http://server.example.com/connect/service_documentation.html",
"ui_locales_supported":
["en-US", "en-GB", "en-CA", "fr-FR", "fr-CA"]
}
This spec also defines for the first time parameter names for the token introspection and token revocation endpoints:
- introspection_endpoint
- revocation_endpoint
The next Connect2id server release will update the OP
metadata names for these endpoints to match the upcoming spec. At present
(Connect2id server 3.6) they are advertised as
token_introspection_endpoint and token_revocation_endpoint.