New OAuth 2.0 discovery draft

26 November 2015

The OAuth work group has just published a new draft for OAuth 2.0 server discovery. The spec essentially mimics OpenID Connect Discovery, without the OpenID stuff.

It defines a WebFinger query for resolving the OAuth 2.0 server for a user given some input identifier (typically email) and then obtaining a JSON document detailing the server’s endpoints and capabilities.

Example OAuth 2.0 server metadata:

HTTP/1.1 200 OK
Content-Type: application/json

{
 "issuer":
   "https://server.example.com",
 "authorization_endpoint":
   "https://server.example.com/connect/authorize",
 "token_endpoint":
   "https://server.example.com/connect/token",
 "token_endpoint_auth_methods_supported":
   ["client_secret_basic", "private_key_jwt"],
 "token_endpoint_auth_signing_alg_values_supported":
   ["RS256", "ES256"],
 "userinfo_endpoint":
   "https://server.example.com/connect/userinfo",
 "jwks_uri":
   "https://server.example.com/jwks.json",
 "registration_endpoint":
   "https://server.example.com/connect/register",
 "scopes_supported":
   ["openid", "profile", "email", "address", "phone", "offline_access"],
 "response_types_supported":
   ["code", "code token"],
 "service_documentation":
   "http://server.example.com/connect/service_documentation.html",
 "ui_locales_supported":
   ["en-US", "en-GB", "en-CA", "fr-FR", "fr-CA"]
}

This spec also defines for the first time parameter names for the token introspection and token revocation endpoints:

introspection_endpoint
revocation_endpoint

The next Connect2id server release will update the OP metadata names for these endpoints to match the upcoming spec. At present (Connect2id server 3.6) they are advertised as token_introspection_endpoint and token_revocation_endpoint.