Some products publish both, but they don’t always return the same content, eventho as far as i can tell they should be aliases.
The uri normalization of 8414 is also implemented wrong in some cases, since it differs from OIDC as far as issuer path component is concerned. I find it best for AS to have just one or both with the same content, client software doing discovery can check both locations. Odesláno z iPhonu > 8. 6. 2020 v 9:46, Daniel Fett <[email protected]>: > > > Hi all, > > RFC8414 says that the URI where the OAuth metadata document is published is > > formed by inserting a well-known URI string into the authorization > server's issuer identifier between the host component and the path > component, if any. By default, the well-known URI string used is > "/.well-known/oauth-authorization-server". > > I found that some OAuth servers and clients instead follow the convention > used by OpenID Connect, where the suffix "/.well-known/openid-configuration" > (or "/.well-known/oauth-authorization-server") is appended to the issuer URL. > > Is this a common deviation from the spec? > > Do you know how specific products handle this? > > Does it make sense to serve the metadata document from both locations? > > -Daniel > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
