Skip to content

add(well-known): OAuth 2.0 discovery pages — oauth-protected-resource (RFC 9728) + oauth-authorization-server (RFC 8414)#85

Merged
jdevalk merged 2 commits into
mainfrom
standards-scan/oauth-protected-resource-2026-07-08
Jul 8, 2026
Merged

add(well-known): OAuth 2.0 discovery pages — oauth-protected-resource (RFC 9728) + oauth-authorization-server (RFC 8414)#85
jdevalk merged 2 commits into
mainfrom
standards-scan/oauth-protected-resource-2026-07-08

Conversation

@jdevalk

@jdevalk jdevalk commented Jul 8, 2026

Copy link
Copy Markdown
Owner

What changed

Adds the OAuth 2.0 discovery metadata set to the well-known category — two new optional pages plus a short orientation paragraph tying the three documents together:

Together with the existing openid-configuration page they form the discovery chain: a resource points at its authorisation server(s), whose own metadata lives at oauth-authorization-server (or openid-configuration for OIDC).

Also:

  • A short "these span several well-known URIs that chain together" paragraph on well-known-overview, using the OAuth trio as the example.
  • relatedSlugs wired across well-known-overview, openid-configuration, oauth-protected-resource, oauth-authorization-server, and mcp-and-tool-discovery.
  • One added changelog entry covering both pages.
  • OG images regenerated: the two new page images plus the four count-driven ones; all other per-page images byte-identical.

Why keep three pages instead of one

Discussed in-session. The site is one-page-per-well-known-URI by design — the checklist, llms.txt, the OKF bundle, and the MCP get_topic/list_topics tools all treat one page as one auditable unit, and the three documents serve genuinely different roles (resource server vs authorisation server; OIDC vs plain OAuth). Merging would also retire two live, stable URLs (openid-configuration exists; #85 added oauth-protected-resource), contradicting the spec's own stable-urls guidance. The coherence comes from linkage + the overview paragraph, not a merged page.

Why "ship it before you spec it" does not block either page

Both are conditional well-known URIs — they only apply to a site that exposes an OAuth-protected resource or runs an authorisation server. This site's MCP endpoint is public and unauthenticated, so there is nothing to ship, exactly like the existing openid-configuration, webfinger, nodeinfo, and webauthn pages. Each page says so.

Status justification

Both optional — needed only when the condition holds. Not recommended: a site with no protected resource / no authorisation server should not publish these.

Primary sources

  • RFC 9728 (Protected Resource Metadata), RFC 8414 (Authorization Server Metadata), OpenID Connect Discovery 1.0, IANA Well-Known URIs Registry, and the MCP authorization spec as the driving use case.

Verification

  • npm run build passes locally (158 pages indexed, integrity check green).
  • eslint + prettier --check pass via the pre-commit hook.
  • SKILL.md says "140+ pages" (a floor) — still accurate at 158, so no digest change.

Opened as draft by the daily standards scan; both pages follow the in-session decision that RFC 9728/8414 should be spec'd because neither requires the site to ship anything.

🤖 Generated with Claude Code

Documents the OAuth 2.0 Protected Resource Metadata document — the
resource-server counterpart to oauth-authorization-server /
openid-configuration. Status optional: it applies only to sites
exposing an OAuth-protected resource, so 'ship it before you spec it'
is not triggered (our public MCP endpoint is unauthenticated and has
nothing to advertise). Relevant now because MCP's authorization spec
requires authenticated MCP servers to publish it.

Wires relatedSlugs on well-known-overview, openid-configuration, and
mcp-and-tool-discovery; adds an 'added' changelog entry and the OG
images (new page + four count-driven).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 8, 2026

Copy link
Copy Markdown

Deploying specification-website with  Cloudflare Pages  Cloudflare Pages

Latest commit: 66ef1cf
Status: ✅  Deploy successful!
Preview URL: https://6590f990.specification-website.pages.dev
Branch Preview URL: https://standards-scan-oauth-protect.specification-website.pages.dev

View logs

Completes the OAuth 2.0 discovery set alongside oauth-protected-resource
(RFC 9728) and openid-configuration. Covers the plain-OAuth (non-OIDC)
authorization server, whose only home in the spec was a passing mention;
notes the RFC 8414 vs OIDC path-insertion difference and its place in the
9728 discovery chain. Status optional.

Cross-links the trio via relatedSlugs and adds a short orientation
paragraph to well-known-overview naming how the three chain together.
Folds both new pages into one 'added' changelog entry. Regenerates OG
images (new page + four count-driven).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jdevalk jdevalk changed the title add(well-known): /.well-known/oauth-protected-resource page (RFC 9728) add(well-known): OAuth 2.0 discovery pages — oauth-protected-resource (RFC 9728) + oauth-authorization-server (RFC 8414) Jul 8, 2026
@jdevalk jdevalk marked this pull request as ready for review July 8, 2026 07:14
@jdevalk jdevalk merged commit d3f0079 into main Jul 8, 2026
8 checks passed
@jdevalk jdevalk deleted the standards-scan/oauth-protected-resource-2026-07-08 branch July 8, 2026 07:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant