- changed status to open
RFC8414 OAuth Metadata: Implement default behavior
The current way of building the oauth metadata URL is not conformant to the spec.
Current implementation: Append /.well-known/oauth-authorization-server
as a suffix to the issuer URL (code).
Default behavior in RFC8414: Inserting /.well-known/oauth-authorization-server
as an infix between the origin and the path of the issuer URL.
Authorization servers supporting metadata MUST make a JSON document
containing metadata as specified in Section 2 available at a path
formed by inserting a well-known URI string into the authorization
server's issuer identifier between the host component and the path
component, if any. By default, the well-known URI string used is
"/.well-known/oauth-authorization-server".
This should be an option, or even the default option.
Comments (2)
-
-
- changed status to resolved
Fixed in e750e94d. Released in 8.5.
- Log in to comment
Thanks for the report!