RFC statuses and oauthlib roadmaps

[JonathanHuot]

Currently, oauthlib feature list is maintained here: https://oauthlib.readthedocs.io/en/latest/feature_matrix.html

We can improve it by showing all "OAuth"-related RFCs, and the status/roadmap for each (if not applicable, or "won't do", say it). Also, we can split RFCs bullet points when too big.

I'm starting the list of them for OAuth2:

• rfc6749 The OAuth 2.0 Authorization Framework
• rfc6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage
• rfc7009 OAuth 2.0 Token Revocation
• rfc7662 OAuth 2.0 Token Introspection
• rfc7636 Proof Key for Code Exchange by OAuth Public Clients
• rfc6819 OAuth 2.0 Threat Model and Security Considerations
• rfc7519 JSON Web Token (JWT)
• rfc7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
• rfc8252 OAuth 2.0 for Native Apps
• openid 1.0 e1 OpenID Connect Core 1.0 errset1

Statuses proposed:

• done or since x.y.z
• in progress
• won't do / n/a
• contributor friendly

In either cases, we can link to an github issue or discussions if any #123. The project become bigger and having visibility on the current states would be great. I understand it takes some time to maintain this list, but that's for the benefit of the newcomers also.

What do you guys think ?

[duaneking]

We really need to make our road-map public, if only to help with projects that depend on us. The goal of course is to make things public but it also would allow us to collect feedback from our "customers" (The devs who work on things that use our lib) to prioritize our features the correct way in response to market demand.

That stated, I think Anything JWT related has a priority than anything that isn't JWT related as that is where things are going and I feel like we risk being left behind if we dont support it, especially given the fact its been wanted for so long by so many.

[IvanAnishchuk]

rfc7522 Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants would be useful for many enterprise consumers and probably shouldn't take too much effort once rfc7523 is done.

And while I understand that we shouldn't rush implementing draft specs, it would be great if oauthlib were at least prepared for oauth token exchange to be implemented once standardized.

[duaneking]

I agree, no matter what rfc7523 is a higher priority.

[JonathanHuot]

I totally agree with you. Also, I am currently improving some part of the documentation to help contributors adding new grant types.

Please, have a look and comment on https://github.com/oauthlib/oauthlib/pull/702 (WIP).