Good catch. The authorization_endpoint should only be required if flows are
supported that need it. Our old favorite, the Resource Owner Password
Credentials flow doesn’t use it, correct? Likewise, the Client Credentials
flow doesn’t. I’ll plan to make appropriate updates in -08.
-- Mike
From: Dick Hardt [mailto:[email protected]]
Sent: Tuesday, November 14, 2017 5:02 PM
To: [email protected]; Mike Jones <[email protected]>
Subject: Question on REQUIRED metadata in
https://tools.ietf.org/html/draft-ietf-oauth-discovery-07
I was reviewing https://tools.ietf.org/html/draft-ietf-oauth-discovery-07 and
noticed that in
https://tools.ietf.org/html/draft-ietf-oauth-discovery-07#section-2 that
authorization_endpoint is REQUIRED.
I am working on deployments that are two-legged OAuth where there is no
authorization_endpoint, but having a discovery document would be super useful.
Additionally, in https://tools.ietf.org/html/draft-hardt-oauth-distributed-00,
discovery would be useful, but there may not be an authorization_endpoint may
not be needed in the authorization server as it is a two legged OAuth flow (ie,
there is no user granting permission, the client is requesting an access token
to use at resources)
Is there a reason why authorization_endpoint is REQUIRED?
/Dick
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
