Hi Julius, Thank you so much for your thoughtful and detailed feedback on the draft. I truly appreciate you taking the time to review it, and I'm very glad to hear you find it useful, thank you for getting involved! Regarding your excellent suggestions—including adding RFC 9068 and RFC 8414 to the diagram, correcting the title for RFC 9278, noting the OIDC pre-cursors to several OAuth standards, and updating the GNAP reference to RFC 9635—I'm happy to let you know that these have already been incorporated into the -01 version of the draft. Your email also prompted me to perform another thorough review of the document. In doing so, I actually discovered a few additional minor errors that I had missed. I have corrected these in the new version as well. new version https://datatracker.ietf.org/doc/html/draft-chen-oauth-roadmap-01 I am copying the OAuth Working Group mailing list on this reply to ensure the discussion is public and to give others an opportunity to review the changes. Thanks again for your valuable contribution and for helping improve the document. Best, Meiling
[email protected] From: Julius Cordes Date: 2026-05-02 01:10 To: i-d-announce Subject: Re: I-D Action: draft-chen-oauth-roadmap-00.txt Hi! This is the very first time I’ve commented on a draft. Please let me know if I’m doing something wrong. First of all, I have to say that I really like the draft. Something like this should have been around much sooner. Thank you very much for all the effort you’ve put into this! Here are a few comments and ideas: 1st section, figure 1: - In my opinion, RFC 9068 should be listed right next to (or instead of) RFC 7519. These days, it feels as though almost everyone uses a semantics that is more or less compatible with that defined in RFC 9068. - I suggest addition of RFC 8414 to the figure, as many OAuth implementations use this or OpenID Connect Discovery. Furthermore, the majority of the other specifications mentioned in fig. 1 use RFC 8414 to register their metadata. 5th section: RFC 9278 is „JWK Thumbprint URI“ and not „JWT Profile for OAuth 2.0 Access Tokens“ (RFC 9068). 10th section: IMHO the document should mention that some OAuth standards have predating OIDC standard equivalents, as those OAuth standards are heavily inspired by earlier OIDC standards and compatible with their counterpart: - OpenID Connect Core (02/2014), section 6 → JAR (RFC 9101, 08/2021) - OpenID Connect Discovery (02/2014) → OAuth 2.0 Authorization Server Metadata (RFC 8414, 06/2018) - OpenID Connect Dynamic Client Registration (02/2014) → OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591, 07/2015) 11th section: draft-ietf-gnap-core-protocol (GNAP) became RFC 9635 in October 2024. Sincerely yours, Juliu
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
