bc-pi
commented
1 year ago I didn't mean to suggest the use of protected resource metadata. I only mentioned it's existence as the only thing I'm aware of currently that touches on that kind of discovery. Honestly I think it might be a bit premature to reference it at this point. But I suppose it's okay given it's described as just one option to identify the authorization server.
Based on Brians feedback WWW-Authenticate cannot be used as it does not contain authorization server information. He suggested to use https://datatracker.ietf.org/doc/html/[draft-ietf-oauth-resource-metadata-00](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-00) instead.
This PR is removing WWW-Authenticate from the draft and suggest the reader to use protected resource metadata instead when authorization server discovery is needed.