In CAEPIOP 1.0 2.7.2 ("OAuth Scopes") explicitly mentions OAuth Protected Resource Metadata (OPRM, RFC 9728) for
scope discovery, but neither CAEPIOP 2.7 nor SSF 1.0 7 explicitly says how a Receiver should discover the Authorization Server itself,
given only a Transmitter URL.
In practice OPRM's authorization_servers field is the only in-band mechanism that does this, but the spec doesn't say so directly.
I think it would help interop if CAEPIOP 2.7 stated the expected discovery path explicitly.
Currently in the conformance tests, we require the configuration of a token endpoint if "Authentication Variant" is set to "dynamic".
If we could optionally leverage the oauth resource server from the OPRM, we could discover the token endpoint through the OAuth Authorization Server metatdata if present.
In CAEPIOP 1.0 2.7.2 ("OAuth Scopes") explicitly mentions OAuth Protected Resource Metadata (OPRM, RFC 9728) for
scope discovery, but neither CAEPIOP 2.7 nor SSF 1.0 7 explicitly says how a Receiver should discover the Authorization Server itself,
given only a Transmitter URL.
In practice OPRM's
authorization_serversfield is the only in-band mechanism that does this, but the spec doesn't say so directly.I think it would help interop if CAEPIOP 2.7 stated the expected discovery path explicitly.
Currently in the conformance tests, we require the configuration of a token endpoint if "Authentication Variant" is set to "dynamic".
If we could optionally leverage the oauth resource server from the OPRM, we could discover the token endpoint through the OAuth Authorization Server metatdata if present.