dannymeloy
commented
4 years ago Hi Gareth,
- The RAML is currently mistaken - the /.well-known/.. endpoint will hang off the the root path (e.g.
https://{host}:{port}/.well-known/oauth-authorization-server.) - With regards to both versioning of the well-known endpoint (mentioned in issue #9) and multiple issuers on the same host, the thinking currently is that we define another text record in the DNS-SD announcement (call it
issuer_path.), for a given auth server instance, that defines the {issuer} tag in the.well-knownurl. This will usually be blank or omitted, meaning clients default to the URL you have given above. If multiple auth services are hosted on the same host, or if integrating with an Off-the-Shelf auth server with a metadata URL with a different {issuer}, thisissuer_pathrecord can distinguish/point-at the auth server instances. From an NMOS perspective, this record could also give clients distinct server metadata URLs for different versions if we needed to - using two DNS-SD records with different text records. In this case, both theapi_verandissuer_pathrecords may both be equal tov1.1for example.
I hope that makes sense...
garethsb
NEOAdvancedTechnology
The current goal is to align IS-10 with RFC 8414, and as such support the method defined in RFC 8414 Section 3 for discovery of the server endpoints.
The current RAML adds a /.well-known/oauth-authorization-server endpoint. However, that is relative to the base URL defined in the RAML which is /x-nmos/auth/{version}.
I wondered if the intent was to have a top-level /.well-known/oauth-authorization-server endpoint that redirected to the one defined in the RAM L, but I can't see that RFC 8414 (or RFC 5785) allow a redirect response, suggesting only 200 OK for a successful response?
(I'm also not clear as to the use-cases for RFC 8414 multiple issuers on a host, which it describes in section 3.1, resulting in the well-known URL request being to https://api.example.com/.well-known/oauth-authorization-server/{issuer} instead. Can you explain?)