ORCID-Source icon indicating copy to clipboard operation
ORCID-Source copied to clipboard
verified publisher icon ORCID

Support /.well-known/oauth-authorization-server

Open mitar opened this issue 5 years ago • 3 comments

This allows auto-configuration of the OAuth client.

See more information in this RFC: https://tools.ietf.org/html/rfc8414

Example: https://developer.okta.com/docs/reference/api/oidc/#well-known-oauth-authorization-server

There is similar configuration for OpenID Connect, which could also be provided: https://developer.okta.com/docs/reference/api/oidc/#well-known-openid-configuration

mitar avatar Aug 05 '20 07:08 mitar

Hi Mitar,

We already support open id configuration at https://orcid.org/.well-known/openid-configuration but was not aware of https://tools.ietf.org/html/rfc8414

Do you know how different the formats are? Can we simply deliver the same metadata from both?

TomDemeranville avatar Aug 06 '20 14:08 TomDemeranville

You can, but the oauth-authorization-server has few more fields, e.g.:

  • revocation_endpoint
  • revocation_endpoint_auth_methods_supported
  • revocation_endpoint_auth_signing_alg_values_supported
  • introspection_endpoint
  • introspection_endpoint_auth_methods_supported
  • introspection_endpoint_auth_signing_alg_values_supported
  • code_challenge_methods_supported

At the same time openid-configuration has some extra fields, e.g.:

  • acr_values_supported
  • subject_types_supported
  • id_token_signing_alg_values_supported
  • id_token_encryption_alg_values_supported
  • id_token_encryption_enc_values_supported
  • userinfo_signing_alg_values_supported
  • userinfo_encryption_alg_values_supported
  • userinfo_encryption_enc_values_supported
  • request_object_signing_alg_values_supported
  • request_object_encryption_alg_values_supported
  • request_object_encryption_enc_values_supported
  • display_values_supported
  • claim_types_supported
  • claims_supported
  • claims_locales_supported
  • claims_parameter_supported
  • request_parameter_supported
  • request_uri_parameter_supported
  • require_request_uri_registration

Because both of them allow additional parameters, I think it is safe to have only one metadata and serve it at both locations.

mitar avatar Aug 06 '20 16:08 mitar

We already support open id configuration

Oh, I missed that. I see why. Because it does not allow CORS access. I will open another issue for that.

Edit: Done: https://github.com/ORCID/ORCID-Source/issues/5978

mitar avatar Aug 06 '20 16:08 mitar