Hi Torsten! Great that you compiled the list on WG items. IMO there is one item missing and that is to create an optional formal interface between the authorization server and the protected resource. It could increase the productivity of creating the oauth protected web services when the auth server can be treated as an off the shelf piece of code. Then it would be up to the auth server to also provide an number of other extension like the discovery, token revocation and other.
The next most important for me is the discovery but here I would rather want to tie on to existing technologies that already describe REST resources like WADL. So that the Oauth discovery metadata just deals with two levels of metadata. First being more static information about the oauth server that is authorative over the protected resource. Second would be the endpoint specific authorization data about the resource what kind of scopes are required for me to fulfill a successful request. But here it needs to be more innovative since it might be a different answer if I am trying to do a HTTP GET then what would be needed if I am trying to do a HTTP DELETE request on a protected resource. We are actually trying to experiment with the two different API for auth server <-> protected resource IF and for resource discovery to get hands on experience on how they could look like. So if other sees the same value we would be happy to collaborate and try to contribute it becoming something agreed upon within this WG. The good part is that all of our experiments are shared in open source so others could also join in and we do not have any strong opinion that it has to be solved our way. BR Kristoffer
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth