shing, site
> to do authentication. If the client supports the password grant then it
> probably just hands in the username and password without user interaction.
>
> -bill
>
> ------
> *From:* Sergey Shishkin
> *To:* William Mills
> *Cc:* "
s here is the "discovery" problem. How do
> you discover the authentication endpoints for a service. Unfortunately it
> turns out returning that as part of the 401 has big security concerns.
> It's still being figured out.
>
> --
> *From:* S
equest tokens at
> all. Defining those is out of scope for the core specs, but there's some
> new work that's getting started around Host Meta (for discovery) and a
> dynamic client registration spec that will address some of the biggest
> parts of this.
>
> -- Justin
&
While designing a hypermedia-driven API I'm evaluating possibilities to use
OAuth Bearer tokens for claims-based authorization. Currently I struggle
with how to communicate to the API client the way to obtain the token. In a
hypermedia-driven manner I don't want the API client to get this
informati
