fusionauth-issues
fusionauth-issues copied to clipboard
Support OAuth2 metadata RFC
Support OAuth2 metadata RFC
Problem
I want my clients to be able to dynamically find the OAuth endpoints for FusionAuth.
Solution
Implement https://tools.ietf.org/html/rfc8414
Alternatives/workarounds
Read the documentation
Additional context
https://github.com/FusionAuth/fusionauth-jwt/issues/23 https://github.com/FusionAuth/fusionauth-jwt/issues/23#issuecomment-736900513
Related
- https://github.com/FusionAuth/fusionauth-issues/issues/1383
- https://github.com/FusionAuth/fusionauth-issues/issues/1832
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
In my opinion you should just let /.well-known/oauth-authorization-server
point to the same contents as /.well-known/openid-configuration
. This should be allowed, evidence for that in the spec:
Some OAuth applications will choose to use the well-known URI suffix "openid-configuration". As described in Section 5, despite the identifier "/.well-known/openid-configuration", appearing to be OpenID specific, its usage in this specification is actually referring to a general OAuth 2.0 feature that is not specific to OpenID Connect.
@mooreds are https://github.com/FusionAuth/fusionauth-issues/issues/1383 & https://github.com/FusionAuth/fusionauth-issues/issues/1832 dups of this?
@robotdan #1832 is (and is now closed), but #1383 is different.
The latter adds a new parameter iss
to the various endpoints and is useful in situations where you have more than one OAuth server being used by a client and want to ensure that the client is really interacting with the server it expects it is.
https://evertpot.com/oauth2-usability/ has some hot takes.