Correct/Update Authorization Server Discovery

Question

Correct/Update Authorization Server Discovery

Closed this issue a year ago · 0 comments

Feedback from Brian Campbell

There are a few places that mention using the WWW-Authenticate header a la RFC6750 to figure out the AS. But RFC6750 doesn't provide any AS info so that doesn't work. There's something along those lines being proposed in [https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/] that could get to AS info from RS info returned as a param of the WWW-Authenticate header but it's still just an individual draft currently.