language around server metadata is quite involved
https://openid.net/specs/openid-connect-federation-1_0-23.html#section-4.1 is quite involved.
It says:
For instance, for OpenID Connect federations, this specification uses metadata values from OpenID Connect Discovery 1.0 [OpenID.Discovery] and OpenID Connect Dynamic Client Registration 1.0 [OpenID.Registration]and adds additional values used for federations.
For OAuth2 federations, this specification uses metadata values from OAuth 2.0 Authorization Server Metadata as specified in [RFC8414].
For both OpenID Connect and OAuth2 metadata the following properties are defined.
I find it quite hard to follow, particularly how it distinguishes between OAuth2 federations and OpenID Connect federations. You can read it such that an OpenID Connect federation can only use values defined in the OIDC specs, meaning OIDC federations can’t use (say) CIBA or MTLS client auth as those metadata values would only be in the IANA registry.
Would we lose anything by replacing the above text with references to the respective IANA registries (which then refer onto the OIDC specs for the OIDC items)?
Comments (5)
-
-
- changed status to open
As discussed during the 6-Oct-22 working group call, we could be clearer about the distinction between Connect federations and OAuth 2 federations and why we even talk about the latter.
-
-
assigned issue to
-
assigned issue to
-
I will create a PR to do this.
-
- changed status to resolved
- Log in to comment
Joseph suggested that we also explicitly refer to the registry.