OAuth 2.0 Authorization Server Metadata

[jbasney]

A SciTokens Authorization Server should publish OAuth 2.0 Authorization Server Metadata rather than OpenID Provider Metadata.

No "claims_supported" or "id_token_signing_alg_values_supported" or "userinfo_endpoint" entries.

And it should be published at issuer/.well-known/oauth-authorization-server rather than issuer/.well-known/openid-configuration.

[jbasney]

RFC 8414 is now published with the specification for OAuth 2.0 Authorization Server Metadata. As discussed in https://github.com/scitokens/scitokens/issues/75, see RFC 8414 Compatibility Notes about constructing the discovery endpoint URL for issuers with path components:

OpenID Connect Discovery 1.0 specifies that the well-known URI string is appended to the issuer identifier (e.g., "https://example.com/issuer1/.well-known/openid-configuration"), whereas this specification specifies that the well-known URI string is inserted before the path component of the issuer identifier (e.g., "https://example.com/.well-known/openid-configuration/issuer1").