Hi all, RFC8414 says that the URI where the OAuth metadata document is published is
formed by inserting a well-known URI string into the authorization server's issuer identifier between the host component and the path component, if any. By default, the well-known URI string used is "/.well-known/oauth-authorization-server". I found that some OAuth servers and clients instead follow the convention used by OpenID Connect, where the suffix "/.well-known/openid-configuration" (or "/.well-known/oauth-authorization-server") is appended to the issuer URL. Is this a common deviation from the spec? Do you know how specific products handle this? Does it make sense to serve the metadata document from both locations? -Daniel
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
