Follow-up from review discussion on #994 (comment 1, comment 2), and 3.
The draft authorization spec recommends clients obtain a client ID using priority order: pre-registered client information → CIMD → DCR
OAuthState currently exposes each mechanism through a separate entry point, and callers must know which one to pick.
Proposal:
for v3, we can consolidate behind a single start_authorization entry point that accepts a declarative description of the client's available identity material and applies the spec's priority order internally.
Follow-up from review discussion on #994 (comment 1, comment 2), and 3.
The draft authorization spec recommends clients obtain a client ID using priority order: pre-registered client information → CIMD → DCR
OAuthState currently exposes each mechanism through a separate entry point, and callers must know which one to pick.
Proposal:
for v3, we can consolidate behind a single start_authorization entry point that accepts a declarative description of the client's available identity material and applies the spec's priority order internally.