RFC8414 OAuth Metadata: Implement default behavior

The current way of building the oauth metadata URL is not conformant to the spec.

Current implementation: Append /.well-known/oauth-authorization-server as a suffix to the issuer URL (code).

Default behavior in RFC8414: Inserting /.well-known/oauth-authorization-server as an infix between the origin and the path of the issuer URL.

Authorization servers supporting metadata MUST make a JSON document
containing metadata as specified in Section 2 available at a path
formed by inserting a well-known URI string into the authorization
server's issuer identifier between the host component and the path
component, if any. By default, the well-known URI string used is
"/.well-known/oauth-authorization-server".

This should be an option, or even the default option.

Comments (2)