From f8f833046374eab1c07998b00a295f5c97a6fdaa Mon Sep 17 00:00:00 2001 From: Michael Jones Date: Mon, 1 Sep 2025 17:24:18 -0700 Subject: [PATCH 1/2] Use token_endpoint_auth_methods_supported for all AS endpoints --- openid-connect-rp-metadata-choices-1_0.xml | 54 +++++++++++++++++++++- 1 file changed, 52 insertions(+), 2 deletions(-) diff --git a/openid-connect-rp-metadata-choices-1_0.xml b/openid-connect-rp-metadata-choices-1_0.xml index 516114b..6418efb 100644 --- a/openid-connect-rp-metadata-choices-1_0.xml +++ b/openid-connect-rp-metadata-choices-1_0.xml @@ -13,6 +13,7 @@ be taken to indicate. --> @@ -57,7 +58,7 @@ - + OpenID Connect Working Group @@ -313,6 +314,8 @@ Client Authentication methods supported by the Client. If a token_endpoint_auth_method metadata parameter is also present, its value MUST be in the list. + Also see the discussion of this parameter in + . @@ -416,6 +419,38 @@ +
+ + The token_endpoint_auth_methods_supported + metadata value is used, in practice, to indicate the + Client Authentication Methods supported at any Authorization Server endpoint, + not just the Token Endpoint. + For instance, these same methods MUST be supported at + the Revocation Endpoint , + the Introspection Endpoint , and + the Pushed Authorization Request Endpoint , + when they exist. + + + It is a consensus position within the OpenID Connect working group that + it was a mistake to create separate + revocation_endpoint_auth_method and + introspection_endpoint_auth_method + Client Metadata parameters. + This aligns with the decision by the OAuth Working group to use the + token_endpoint_auth_methods_supported and + token_endpoint_auth_method parameters + to describe the capabilities of the Pushed Authorization Request (PAR) Endpoint, + rather than creating new parameters that were PAR-specific. + + + Consequently, this specification does not create + revocation_endpoint_auth_methods_supported or + introspection_encryption_enc_values_supported + endpoints. + +
+
To facilitate interoperability with implementations not supporting @@ -836,7 +871,10 @@ + + + @@ -1142,9 +1180,21 @@
[[ To be removed from the approved Final Specification ]] + + -03 + + + Stated that the + token_endpoint_auth_methods_supported + metadata value is used to indicate the Client Authentication Methods + supported at any Authorization Server endpoint. + + + + -02 - + Added multi-valued metadata parameters based on single-valued metadata parameters in , , and . From a07a73292cf08fd152bb2633dc8e4e77a454d6ba Mon Sep 17 00:00:00 2001 From: Michael Jones Date: Tue, 2 Sep 2025 19:06:56 -0700 Subject: [PATCH 2/2] Correct names of parameters now considered mistakes --- openid-connect-rp-metadata-choices-1_0.xml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/openid-connect-rp-metadata-choices-1_0.xml b/openid-connect-rp-metadata-choices-1_0.xml index 6418efb..e1e4430 100644 --- a/openid-connect-rp-metadata-choices-1_0.xml +++ b/openid-connect-rp-metadata-choices-1_0.xml @@ -58,7 +58,7 @@ - + OpenID Connect Working Group @@ -434,20 +434,21 @@ It is a consensus position within the OpenID Connect working group that it was a mistake to create separate - revocation_endpoint_auth_method and - introspection_endpoint_auth_method - Client Metadata parameters. + revocation_endpoint_auth_methods_supported and + introspection_endpoint_auth_methods_supported + Authorization Server Metadata parameters in . This aligns with the decision by the OAuth Working group to use the token_endpoint_auth_methods_supported and - token_endpoint_auth_method parameters - to describe the capabilities of the Pushed Authorization Request (PAR) Endpoint, + token_endpoint_auth_method metadata parameters + to describe the capabilities of the + Pushed Authorization Request (PAR) Endpoint , rather than creating new parameters that were PAR-specific. Consequently, this specification does not create revocation_endpoint_auth_methods_supported or introspection_encryption_enc_values_supported - endpoints. + Client Metadata parameters.
@@ -1130,6 +1131,7 @@ +