Skip to content

RFC 8414: OAuth 2.0 Authorization Server Metadata

**# RFC 8414: OAuth 2.0 Authorization Server Metadata

Table of Contents

Overview

OAuth 2.0 Authorization Server Metadata defines a mechanism for OAuth 2.0 clients to discover the necessary endpoints and public configuration parameters of an OAuth 2.0 Authorization Server. This standardizes how authorization servers publish their metadata, making client configuration easier and more secure.

Key Concepts and Benefits

  • Endpoint Discovery: Clients can automatically discover critical endpoints (authorization, token, introspection, revocation, JWKS), reducing manual configuration and errors.
  • Public Configuration Parameters: Authorization servers publish supported response types, grant types, scopes, code challenge methods, and token endpoint auth methods, enabling clients to construct valid requests.
  • Dynamic Client Registration Integration: Metadata is crucial for dynamically registered clients to understand server capabilities and tailor registration requests.
  • Improved Interoperability: Standardized metadata format enhances compatibility between clients and servers from different vendors.
  • Enhanced Security: Clients retrieve public keys (via JWKS URI) to validate signed JWTs issued by the server.
  • Ease of Deployment: Developers can build robust, self-configuring OAuth 2.0 clients, reducing integration effort.

How it Works

An OAuth 2.0 Authorization Server publishes its metadata at a well-known URI. Clients make an HTTP GET request to this URI to retrieve a JSON document containing all relevant configuration parameters.

Well-Known Metadata Endpoint

  • Path: /.well-known/oauth-authorization-server
  • Returns: JSON document describing the server’s OAuth 2.0 configuration.

Metadata Fields

FieldDescriptionRequired
issuerUnique identifier for the authorization serverYes
authorization_endpointURL for user authorization requestsYes
token_endpointURL for obtaining access tokensYes
userinfo_endpointURL for retrieving user profile informationNo
jwks_uriURL for the server’s JSON Web Key Set (JWKS)Yes
registration_endpointURL for dynamic client registrationNo
scopes_supportedList of supported OAuth scopesNo
response_types_supportedSupported OAuth response typesYes
grant_types_supportedSupported OAuth grant typesNo
token_endpoint_auth_methods_supportedSupported client authentication methods at the token endpointNo
revocation_endpointURL for token revocationNo
introspection_endpointURL for token introspectionNo