On Tue, Jun 09, 2020 at 09:42:27AM +0200, Daniel Fett wrote: > Am 09.06.20 um 00:50 schrieb Benjamin Kaduk: > > On Mon, Jun 08, 2020 at 11:15:07AM +0200, Daniel Fett wrote: > >> Hi Filip, > >> > >> Thanks for your answers! > >> > >> I'm not quite sure if the wording in my question was clear: My main > >> concern is the difference between > >> https://example.com/some/path*/.well-known/oauth-authorization-server* > >> and > >> https://example.com*/.well-known/oauth-authorization-server*/some/path, > >> i.e., the usage of the well-known URI as a postfix or as an infix. > > .well-known is only defined at the root of the path component of a URI. > > Usage such as > > https://example.com/some/path*/.well-known/oauth-authorization-server* is > > noncompliant with RFC 5785. > > I know, but my impression is that since OIDC did it this way, some > clients are expecting the same behavior for RFC8414. Thus the question > if AS should be allowed or even required to offer the postfix variant in > an ecosystem.
Hmm, we don't seem to have gotten many replies on this question. My own individual opinion is "no", roughly on the grounds that doing it in the wild starts a slippery slope and we don't want to get in the business of encouraging BCP 190 violations. -Ben _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
