Overview#
What is missing in OAuth 2.0- No Discovery Mechanism
- Mandatory Authentication of the Resource Owner
- There is nothing in OAuth 2.0 about Authentication (OAuth 2.0 NOT an Authentication protocol)
- No Authentication Assurance Level
- No information on the Resource Owner
- No Logout Process (Well since we did not Authenticate why Logout Process)
- Some folks imply that there is a Authentication Double-Hop issue.
- Allows HTTP GET for Authorization Response which has Data Leakage issues. OpenID Connect formally defined a HTTP POST response mode.