Make scope info endpoint discoverable?

[michielbdejong]

Today we talked about creating a /.well-known/resource-helper document where the scope info endpoint of a Resource Helper can be discovered. But https://datatracker.ietf.org/doc/html/rfc7662 says:

The means by which the protected resource discovers the location of the introspection endpoint are outside the scope of this specification.

So maybe we should leave it out of scope here as well then?

[michielbdejong]

When adding an RH to an AS, if there is a .well-known mechanism, you still need to specify the FQDN of the RH, e.g. helper.drive.surf.nl So then I think it's just a small step to specify the full https://helper.drive.surf.nl/scope-info URL? Unless there are several URLs to configure, or they change frequently, I think the gain from a .well-known mechanism is not so big.

Also, for OIDC the .well-known mechanism is used each time a user logs in (potentially thousands of times per day), and this one would only be used once in the lifetime of the AS-RH relationship

[michielbdejong]

I found OAuth Discovery and ./well-known/uma2-configuration - maybe we should just propose a field scope_info as an addition to this list.