OAuth 2.0 Authorization Server Metadata


OAuth 2.0 Authorization Server Metadata is defined in RFC 8414 and defines defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 Authorization Server, including its OAuth 2.0 Endpoint locations and Authorization Server capabilities.

OAuth 2.0 Authorization Server Metadata generalizes the discovery mechanisms defined by OpenID Connect Discovery 1.0 in a way that is compatible with Openid-configuration, while being applicable to a wider set of OAuth 2.0 use cases. This is intentionally parallel to the way that the "OAuth 2.0 Dynamic Client Registration Protocol" (RFC 7591) specification generalized the dynamic client registration mechanisms defined by "OpenID Connect Dynamic Client Registration 1.0" OpenID.Registration in a way that was compatible with it.

The metadata for an Authorization Server is retrieved from a well-known location as a JSON RFC 7159 document, which declares its endpoint locations and Authorization Server capabilities.

This metadata can either be communicated in a self-asserted fashion by the server origin via HTTPS or as a set of signed metadata values represented as claims in a JSON Web Token (JWT). In the JWT case, the issuer is vouching for the validity of the data about the Authorization Server. This is analogous to the role that the Software Statement plays in OAuth Dynamic Client Registration Metadata RFC 7591.

The means by which the OAuth Client chooses an Authorization Server is out of scope in OAuth 2.0 Authorization Server Metadata. In some cases, its issuer identifier may be manually configured into the client. In other cases, it may be dynamically discovered, for instance, through the use of WebFinger RFC 7033, as described in Section 2 of "OpenID Connect Discovery 1.0" OpenID.Discovery.

More Information#

There might be more information for this subject on one of the following: