"What makes HTTP significantly different from RPC is that the requests are directed to resources using a generic interface with standard semantics that can be interpreted by intermediaries (..) " In "HTTP is not RPC" by Roy T. Fielding ics.uci.edu/~fielding/pubs…

"The OAuth 2.0 device authorization grant is designed for Internet-connected devices that either lack a browser to perform a user-agent-based authorization or are input constrained" In "OAuth 2.0 Device Authorization Grant" tools.ietf.org/html/rfc8628

"JSON Web Tokens (...) are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted.This (...) document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs." In rfc-editor.org/rfc/rfc8725.ht…

"Sometimes, one kind of JWT can be confused for another. If a particular kind of JWT is subject to such confusion, that JWT can include an explicit JWT type value, and the validation rules can specify checking the type." In rfc-editor.org/rfc/rfc8725.ht…

"If the same issuer can issue JWTs that are intended for use by more than one relying party or application, the JWT MUST contain an "aud" (audience) claim that can be used to determine whether the JWT is being used by an intended party (...)" In rfc-editor.org/rfc/rfc8725.ht…

"The Web is based on numerous standards that together make up the surface of the Web: By knowing and supporting those standards, problems can be solved in well-known ways." By Erik Wilde, in dret.net/netdret/docs/w…

"The "iss" (issuer) claim identifies the principal that issued the JWT." In tools.ietf.org/html/rfc7519#s…

"The "sub" (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject." in tools.ietf.org/html/rfc7519#s…

"The "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim." In tools.ietf.org/html/rfc7519#s…

"azp - Authorized Party - the party to which the ID Token was issued. (...) This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party" In openid.net/specs/openid-c…

"acr - Authentication Context Class Reference - String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied" In openid.net/specs/openid-c…

"This memo introduces an informational HTTP status code that can be used to convey hints that help a client make preparations for processing the final response." In tools.ietf.org/html/rfc8297

Early hints example from tools.ietf.org/html/rfc8297 HTTP/1.1 103 Early Hints Link: </style.css>; rel=preload; as=style Link: </script.js>; rel=preload; as=script HTTP/1.1 200 OK Date: Fri, 26 May 2017 10:02:11 GMT (...)

"The Link header field provides a means for serialising one or more links into HTTP headers." In tools.ietf.org/html/rfc8288#s…

"PKCE vs. Nonce: Equivalent or Not?" In danielfett.de/2020/05/16/pkc… by Daniel Fett

The OWASP "API Security Top 10 2019" owasp.org/www-project-ap…

"The immutable HTTP response Cache-Control extension allows servers to identify resources that will not be updated during their freshness lifetime. This ensures that a client never needs to revalidate a cached fresh resource (...)" In tools.ietf.org/html/rfc8246

"It is increasingly common for Web-based protocols to require the discovery of policy or other information about a host ("site-wide metadata") before making a request." (1/2)

"To address this, this memo defines a path prefix in HTTP(S) URIs for these "well-known locations", "/.well-known/"." In tools.ietf.org/html/rfc5785 (2/2)

The IANA registry for well-known URIs - iana.org/assignments/we…