6. Security Considerations

6.1. TLS Requirements

The use of TLS is REQUIRED when obtaining authorization server metadata and for other communications between OAuth clients and authorization servers. As described in "OAuth 2.0 Threat Model and Security Considerations" [RFC6819], proper implementation and deployment of TLS are critical.

6.2. Impersonation Attacks

TLS certificate checking [RFC6125] MUST be performed to prevent unauthorized servers from impersonating an authorization server by providing metadata. Validation of the issuer identifier described in Section 3.3 is equally important.

6.3. Publishing Metadata in a Standard Format

Publishing metadata in a standard, machine-readable format enables potential attackers to discover information about the capabilities of the authorization server. This is unavoidable in the normal operation of OAuth 2.0 and is not considered a security risk.

6.4. Protected Resources

This specification does not address obtaining metadata about protected resources. Mechanisms for publishing and obtaining metadata for protected resources might be considered in future specifications.