I strongly oppose. 2 major issues. This is not service discovery this is configuration lookup. The client must have already discovered the oauth issuer uri and the resource uri.
The objective was to provide a method to ensure the client has a valid set of endpoints to prevent mitm of endpoints like the token endpoint to the resource server. The draft does not address the issue of a client being given a bad endpoint for an rs. What we end up with is a promiscuous authz service giving out tokens to an unwitting client. Phil > On Mar 10, 2016, at 08:06, Vladimir Dzhuvinov <vladi...@connect2id.com> wrote: > > +1 to move forward with these > >> On 10/03/16 17:35, Brian Campbell wrote: >> +1 >> >> On Thu, Mar 10, 2016 at 6:04 AM, Roland Hedberg <roland.hedb...@umu.se> >> wrote: >> >>> I support this document being moved forward with these two changes: >>> >>> - change name to “OAuth 2.0 Authorization Server Discovery Metadata” as >>> proposed by Brian and >>> - use the URI path suffix ’oauth-authorization-server’ instead of >>> ’openid-configuration’ as proposed by Justin. >>> >>>> 18 feb 2016 kl. 14:40 skrev Hannes Tschofenig <hannes.tschofe...@gmx.net >>>> : >>>> >>>> Hi all, >>>> >>>> This is a Last Call for comments on the OAuth 2.0 Discovery >>> specification: >>>> https://tools.ietf.org/html/draft-ietf-oauth-discovery-01 >>>> >>>> Since this document was only adopted recently we are running this last >>>> call for **3 weeks**. >>>> >>>> Please have your comments in no later than March 10th. >>>> >>>> Ciao >>>> Hannes & Derek >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> — Roland >>> >>> ”Everybody should be quiet near a little stream and listen." >>> From ’Open House for Butterflies’ by Ruth Krauss >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
