Identify recommended reading list

[kadamwhite]

Opening this to capture an action from the weekly chat: We should have a list of resources for familiarizing potential contributors with OAuth2 and JWT, and ideally list out RFCs for technologies which we intend to implement.

I would suggest this can either be a top-level markdown file linked from the README, or a README section of its own.

[dshanske]

OAuth 2.0 Security Best Current Practice https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13

[dshanske]

https://tools.ietf.org/html/rfc8252 OAuth 2.0 for Native Apps

[koke]

OAuth 2.0 Security Best Current Practice https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13

While this draft seems to be on track for publication, let's keep in mind that it's still a draft:

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on January 9, 2020.

[dshanske]

@koke This is a recommended reading list. I was adding the documents cited in the other issues as they would be recommended reading for discussion.

[aaronpk]

The Security BCP is in last call, so if you have any comments on the draft this is the time to share it. You're welcome to give it a read and send feedback to the OAuth mailing list.

[spacedmonkey]

Here is the list I have been looking at.

• The OAuth 2.0 Authorization Framework
• OAuth 2.0 Dynamic Registration
• JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

Not directly related, but may also be useful

• OAuth 2.0 Token Introspection

[spacedmonkey]

For those interested in JSON and signing

• JSON Web Token (JWT)
• JSON Web Signature (JWS)