Overview#What is missing in OAuth 2.0
- No Discovery Mechanism
- Mandatory Authentication of the Resource Owner
- No Authentication Assurance Level
- No information on the Resource Owner
- No Logout Process (Well since we did not Authenticate why Logout Process)
- Some folks imply that there is a Authentication Double-Hop issue.
- Allows HTTP GET for Authorization Response which has Information Leakage issues. OpenID Connect OpenID Connect formally defined a HTTP POST response mode.