Despite the specification explicitly stating "This is an Authorization Framework" as of OAuth 2.0, some Authorization Server/Resource Server and many Client developers have been using this for the purpose of user authentication. In order to avoid the occurrence of vulnerabilities and the lack of interoperability, I hope to include the following sentences:
Clients should not (or must not) implement user authentication functionality using this framework.
If an Authorization server wants to provide user authentication functionality to a Client, it should refer to the expanded OIDC specification for that purpose.
Despite the specification explicitly stating "This is an Authorization Framework" as of OAuth 2.0, some Authorization Server/Resource Server and many Client developers have been using this for the purpose of user authentication. In order to avoid the occurrence of vulnerabilities and the lack of interoperability, I hope to include the following sentences: