[tav]

Great question. Unfortunately, it's not easy to do DNS queries from within today's browsers. However, all modern browsers already support [1] cross-origin XMLHttpRequests and the Access-Control-Allow-Origin header [2].

Thus a fixed URI like /.well-known/oauth.json would allow us to potentially do everything from service discovery to authorized requests from within client-side JavaScript apps without the need for server-side proxying or interpretation.

[1] http://caniuse.com/#feat=cors

[2] https://developer.mozilla.org/en/http_access_control

[dlitz]

This is all way too complicated. All of the service-discovery you need can be encoded in the WWW-Authenticate header.

The only problem that OAuth really solves is coming up with some way for a third party to get an arbitrary set of revocable credentials that authenticate the (user, app) pair instead of just having every app use user credentials directly (because that's a phishing hazard). All we need is a standardized mechanism for getting those credentials, and then we can all continue to use Basic and Digest authentication over HTTPS.

OAuth 2.0 almost does that. It actually allows it, but it just has a little too much extra cruft. If you strip out refresh tokens, replace Bearer and MAC authentication with Basic and Digest authentication, mandate HTTPS, and add a couple of qop-options to the WWW-Authenticate header on the 401 response (see RFC 2617) that identify the authorization and token endpoints, you'd have a working standard, and it would be childsplay for anyone to implement it.

EDIT: So the 401 response would looks something like:

  HTTP/1.1 401 Unauthorized
  WWW-Authenticate: Basic realm="foo", oauth2_auth="<URI>", oauth2_token="<URI>"