Bearer Tokens, Discovery and OAuth 2.0

Part of my day job is working on adding discovery to OAuth 2.0. This article provides a summary of some of that work. So I was more than a little concerned when I saw a blog article from Eran Hammer-Lahav, the editor of OAuth 2.0, asserting that OAuth 2.0 couldn't support secure discovery. Very worried that something was terribly wrong I carefully read Eran's article. I summarize below what I believe his concerns are and explain how I believe those concerns would be addressed by extensions to OAuth 2.0 to support discovery. I also explain how Eran's article helped me find a flaw in my own proposal and how I propose fixing that flaw.

Continue reading Bearer Tokens, Discovery and OAuth 2.0