Hi Evert, The working group recently adopted a draft called Distributed OAuth that has more or less what you describe. Note that it's been adopted https://mailarchive.ietf.org/arch/msg/oauth/pziAV_EEQ9L9xeXEgtdu5s07kLM but hasn't been published as a WG document yet so, for now, is found in this individual draft https://datatracker.ietf.org/doc/draft-hardt-oauth-distributed/
There are some security considerations that emerge with that kind approach that need to be addressed. The aforementioned draft does attempt to address them. There's also been some discussion as to what the Link header should point to (e.g. metadata document, issuer URL, authorization endpoint, token endpoint). And even whether or not a Link header should be used vs. an attribute on the WWW-Authenticate header. Most of those discussions should be in the archives: https://mailarchive.ietf.org/arch/browse/oauth/?q=Distributed+OAuth&gbt=1&index=m1TUuh7Tcha9tuDrCraIrkjy73o So I guess to answer your question, there is interest in it and there is already some work in the form of a draft. Your input into developing that document would be welcomed. On Sat, Sep 22, 2018 at 12:47 PM Evert Pot <[email protected]> wrote: > Dear list, > > Apologies if this has been brought up before. I searched the archives > but didn't find anything related. > I am working on a web application + api that uses OAuth2 implicit flow > and Bearer tokens. > > It occurred to that when the API responds with a 401 request, a useful > addition would be that the api also informs the user of the OAuth2 > authentication endpoint to redirect the user to. > > It makes sense to me to do this via a HTTP Link header. A response could > look as follows: > > HTTP/1.1 401 Unauthorized > WWW-Authenticate: Bearer > Link: <https://auth.example.org/authenticate> rel="oauth2-authenticate" > > The reason I'm emailing is because I wanted to gauge whether this is > interesting, or if there are problems with this approach. > > If it is interesting, I would like to take a stab at writing an IETF > draft for this. > > Cheers, > Evert > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
