aaronpk
commented
5 months ago Yes this should go into the design goals section. The idea is to enable an existing AS to more easily adopt this, by not adding a new endpoint that tokens are returned from. Instead, this new endpoint only returns an authorization code which can be exchanged for an access token at the existing token endpoint, taking advantage of all the existing logic around client authentication, token binding, rate limiting, etc.
Sec. 3.1: why doesn't the new endpoint return an access token when successful? Yes this is possibly premature optimization, but it sounds harmless enough. Even if we don't specify it, people are still likely to do it - so shouldn't we have an opinion on whether it is allowed?
Maybe this could go into the Design Goals appendix.