RFC 8414: OAuth 2.0 Authorization Server Metadata
**# RFC 8414: OAuth 2.0 Authorization Server Metadata
Table of Contents
Overview
OAuth 2.0 Authorization Server Metadata defines a mechanism for OAuth 2.0 clients to discover the necessary endpoints and public configuration parameters of an OAuth 2.0 Authorization Server. This standardizes how authorization servers publish their metadata, making client configuration easier and more secure.
Key Concepts and Benefits
- Endpoint Discovery: Clients can automatically discover critical endpoints (authorization, token, introspection, revocation, JWKS), reducing manual configuration and errors.
- Public Configuration Parameters: Authorization servers publish supported response types, grant types, scopes, code challenge methods, and token endpoint auth methods, enabling clients to construct valid requests.
- Dynamic Client Registration Integration: Metadata is crucial for dynamically registered clients to understand server capabilities and tailor registration requests.
- Improved Interoperability: Standardized metadata format enhances compatibility between clients and servers from different vendors.
- Enhanced Security: Clients retrieve public keys (via JWKS URI) to validate signed JWTs issued by the server.
- Ease of Deployment: Developers can build robust, self-configuring OAuth 2.0 clients, reducing integration effort.
How it Works
An OAuth 2.0 Authorization Server publishes its metadata at a well-known URI. Clients make an HTTP GET request to this URI to retrieve a JSON document containing all relevant configuration parameters.
Well-Known Metadata Endpoint
- Path:
/.well-known/oauth-authorization-server - Returns: JSON document describing the server’s OAuth 2.0 configuration.
Metadata Fields
| Field | Description | Required |
|---|---|---|
issuer | Unique identifier for the authorization server | Yes |
authorization_endpoint | URL for user authorization requests | Yes |
token_endpoint | URL for obtaining access tokens | Yes |
userinfo_endpoint | URL for retrieving user profile information | No |
jwks_uri | URL for the server’s JSON Web Key Set (JWKS) | Yes |
registration_endpoint | URL for dynamic client registration | No |
scopes_supported | List of supported OAuth scopes | No |
response_types_supported | Supported OAuth response types | Yes |
grant_types_supported | Supported OAuth grant types | No |
token_endpoint_auth_methods_supported | Supported client authentication methods at the token endpoint | No |
revocation_endpoint | URL for token revocation | No |
introspection_endpoint | URL for token introspection | No |