diff --git a/public/source/index.php b/public/source/index.php
index c5ec7f2..92cd439 100644
--- a/public/source/index.php
+++ b/public/source/index.php
@@ -9,11 +9,11 @@
     <script class='remove'>
       var respecConfig = {
           useExperimentalStyles: true,
-          publishDate: "2020-08-09",
+          publishDate: "2020-09-26",
           specStatus: "NOTE", /* for loading w3c CSS */
-          previousPublishDate: "2020-01-25",
+          previousPublishDate: "2020-08-09",
           previousMaturity: "LS",
-          previousVersionURL: "https://indieauth.spec.indieweb.org/20200125/",
+          previousVersionURL: "https://indieauth.spec.indieweb.org/20200809/",
           shortName:  "indieauth",
           lsURI: "https://indieauth.spec.indieweb.org/",
           testSuiteURI: "https://indieauth.rocks/",
@@ -151,9 +151,7 @@
           <li>All clients are public clients (no <code>client_secret</code> is used)</li>
           <li>Client registration at the authorization endpoint is not necessary, since client IDs are resolvable URLs</li>
           <li>Redirect URL registration happens by verifying data fetched at the Client ID URL</li>
-          <li>Specifies a mechanism for returning the user identifier for the user who authorized a request</li>
-          <li>Specifies a mechanism for verifying authorization codes</li>
-          <li>Specifies a mechanism for a token endpoint and authorization endpoint to communicate</li>
+          <li>Specifies a mechanism for returning the user identifier and profile information for the user who authorized a request</li>
         </ul>
 
         <p>Additionally, the parameters defined by OAuth 2.0 (in particular <code>state</code>, <code>code</code>, and <code>scope</code>) follow the same syntax requirements as defined by Appendix A of OAuth 2.0 [[!RFC6749]].</p>
@@ -238,7 +236,7 @@
 
         <p>Since domain names are case insensitive, the hostname component of the URL MUST be compared case insensitively. Implementations SHOULD convert the hostname to lowercase when storing and using URLs.</p>
 
-        <p>For ease of use, clients MAY allow users to enter just a hostname part of the URL, in which case the client MUST turn that into a valid URL before beginning the IndieAuth flow, by prepending a either an <code>http</code> or <code>https</code> scheme and appending the path <code>/</code>. For example, if the user enters <code>example.com</code>, the client transforms it into <code>http://example.com/</code> before beginning discovery.</p>
+        <p>For ease of use, clients MAY allow users to enter just a hostname part of the URL, in which case the client MUST turn that into a valid URL before beginning the IndieAuth flow, by prepending either an <code>http</code> or <code>https</code> scheme and appending the path <code>/</code>. For example, if the user enters <code>example.com</code>, the client transforms it into <code>http://example.com/</code> before beginning discovery.</p>
       </section>
 
     </section>
@@ -258,7 +256,7 @@
 
         <p>Clients MUST check for an HTTP <code>Link</code> header [[!RFC8288]] with the appropriate <code>rel</code> value. If the content type of the document is HTML, then the client MUST check for an HTML <code>&lt;link&gt;</code> element with the appropriate <code>rel</code> value. If more than one of these is present, the first HTTP <code>Link</code> header takes precedence, followed by the first <code>&lt;link&gt;</code> element in document order.</p>
 
-        <p>The endpoints discovered MAY be relative URLs, in which case the client MUST resolve them relative to the profile URL according to [[!URL]].</p>
+        <p>The endpoints discovered MAY be relative URLs, in which case the client MUST resolve them relative to the current document URL according to [[!URL]].</p>
 
         <p>Clients MAY initially make an HTTP HEAD request [[!RFC7231]] to follow redirects and check for the <code>Link</code> header before making a GET request.</p>
 
@@ -408,33 +406,52 @@
       <section>
         <h3>Authorization Request</h3>
 
-          <p>The client builds the authorization request URL by starting with the discovered <code>authorization_endpoint</code> URL and adding the following parameters to the query component:</p>
+          <p>The client builds the authorization request URL by starting with the discovered <code>authorization_endpoint</code> URL and adding parameters to the query component.</p>
+
+          <p>All IndieAuth clients MUST use PKCE ([[!RFC7636]]) to protect against authorization code injection and CSRF attacks. A non-canonical description of the PKCE mechanism is described below, but implementers should refer to [[RFC7636]] for details.</p>
+
+          <p>Clients use a unique secret per authorization request to protect against authorization code injection and CSRF attacks. The client first generates this secret, which it can later use along with the authorization code to prove that the application using the authorization code is the same application that requested it.</p>
+
+          <p>The client first creates a code verifier for each authorization request by generating a random string using the characters <code>[A-Z] / [a-z] / [0-9] / - / . / _ / ~</code> with a minimum length of 43 characters and maximum length of 128 characters. This value is stored on the client and will be used in the authorization code exchange step later.</p>
+
+          <p>The client then creates the code challenge derived from the code verifier by calculating the SHA256 hash of the code verifier and Base64-URL-encoding the result.</p>
+
+          <code>code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))</code>
+
+          <p>For backwards compatibility, authorization endpoints MAY accept authorization requests without a code challenge if the authorization server wishes to support older clients.</p>
 
           <ul>
             <li><code>response_type=code</code> - Indicates to the authorization server that an authorization code should be returned as the response</li>
-            <li><code>me</code> - The profile URL that the user entered</li>
             <li><code>client_id</code> - The client URL</li>
             <li><code>redirect_uri</code> - The redirect URL indicating where the user should be redirected to after approving the request</li>
             <li><code>state</code> - A parameter set by the client which will be included when the user is redirected back to the client. This is used to prevent CSRF attacks. The authorization server MUST return the unmodified state value back to the client.</li>
-            <li><code>scope</code> - (optional) A space-separated list of scopes the client is requesting, e.g. "profile", or "profile create". If the client omits this value, the authorization server MUST NOT issue an access token for this authorization code. Only the user's URL may be returned without any scope requested.</li>
+            <li><code>code_challenge</code> - The code challenge as previously described.</li>
+            <li><code>code_challenge_method</code> - The hashing method used to calculate the code challenge, e.g. "S256"</li>
+            <li><code>scope</code> - (optional) A space-separated list of scopes the client is requesting, e.g. "profile", or "profile create". If the client omits this value, the authorization server MUST NOT issue an access token for this authorization code. Only the user's profile URL may be returned without any scope requested. See <a href="#profile-information">Profile Information</a> for details about which scopes to request to return user profile information.</li>
+            <li><code>me</code> - (optional) The profile URL that the user entered</li>
           </ul>
 
           <pre class="example nohighlight"><?= htmlspecialchars(
-'https://example.org/auth?me=https://user.example.net/&
-                          redirect_uri=https://app.example.com/redirect&
+'https://example.org/auth?response_type=code&
                           client_id=https://app.example.com/&
+                          redirect_uri=https://app.example.com/redirect&
                           state=1234567890&
+                          code_challenge=OfYAxt8zU2dAPDWQxTAUIteRzMsoj9QBdMIVEDOErUo&
+                          code_challenge_method=S256&
                           scope=profile+create+update+delete&
-                          response_type=code') ?></pre>
+                          me=https://user.example.net/') ?></pre>
+
+          <p>The client SHOULD provide the <code>me</code> query string parameter to the authorization endpoint, either the exact value the user entered, or the canonical profile URL resulting from the discovery step.</p>
 
           <p>The authorization endpoint SHOULD fetch the <code>client_id</code> URL to retrieve application information and the client's registered redirect URLs, see <a href="#client-information-discovery">Client Information Discovery</a> for more information.</p>
 
           <p>If the URL scheme, host or port of the <code>redirect_uri</code> in the request do not match that of the <code>client_id</code>, then the authorization endpoint SHOULD verify that the requested <code>redirect_uri</code> matches one of the <a href="#redirect-url">redirect URLs</a> published by the client, and SHOULD block the request from proceeding if not.</p>
 
-          <p>It is up to the authorization endpoint how to authenticate the user. This step is out of scope of OAuth 2.0, and is highly dependent on the particular implementation. Some authorization servers use typical username/password authentication, and others use alternative forms of authentication such as [[?RelMeAuth]].</p>
+          <p>It is up to the authorization endpoint how to authenticate the user. This step is out of scope of OAuth 2.0, and is highly dependent on the particular implementation. Some authorization servers use typical username/password authentication, and others use alternative forms of authentication such as [[?RelMeAuth]], or delegate to other identity providers.</p>
 
-          <p>Once the user is authenticated, the authorization endpoint presents the authorization request to the user. The prompt MUST indicate which application the user is signing in to, and SHOULD provide as much detail as possible about the request, such as information about the requested scopes.</p>
+          <p>The authorization endpoint MAY use the provided <code>me</code> query component as a hint of which user is attempting to sign in, and to indicate which profile URL the client is expecting in the resulting profile URL response or access token response. This is specifically helpful for authorization endpoints where users have multiple supported profile URLs, so the authorization endpoint can make an informed decision as to which profile URL the user meant to identify as. Note that from the authorization endpoint's view, this value as provided by the client is unverified external data and MUST NOT be assumed to be valid data at this stage. If the logged-in user doesn't match the provided <code>me</code> parameter by the client, the authorization endpoint MAY either ignore the <code>me</code> parameter completely or display an error, at the authorization endpoint's discretion.</p>
 
+          <p>Once the user is authenticated, the authorization endpoint presents the authorization request to the user. The prompt MUST indicate which application the user is signing in to, and SHOULD provide as much detail as possible about the request, such as information about the requested scopes.</p>
 
         <section>
           <h4>Authorization Response</h4>
@@ -467,17 +484,18 @@
         <section>
           <h4>Request</h4>
 
-          <p>If the client only needs to know the user who logged in and does not need to make requests to resource servers with an access token, the client exchanges the authorization code for the user's profile URL at the <b>authorization endpoint</b>.</p>
-
           <p>If the client needs an access token in order to make requests to a resource server such as a [[?Micropub]] endpoint, it can exchange the authorization code for an access token and the user's profile URL at the <b>token endpoint</b>.</p>
 
+          <p>If the client only needs to know the user who logged in and does not need to make requests to resource servers with an access token, the client exchanges the authorization code for the user's profile URL at the <b>authorization endpoint</b>.</p>
+
           <p>After the client validates the state parameter, the client makes a POST request to the token endpoint or authorization endpoint to exchange the authorization code for the final user profile URL and/or access token. The POST request contains the following parameters:</p>
 
           <ul>
             <li><code>grant_type=authorization_code</code></li>
-            <li><code>code</code> - The authorization code received from the authorization endpoint in the redirect</li>
+            <li><code>code</code> - The authorization code received from the authorization endpoint in the redirect.</li>
             <li><code>client_id</code> - The client's URL, which MUST match the client_id used in the authentication request.</li>
             <li><code>redirect_uri</code> - The client's redirect URL, which MUST match the initial authentication request.</li>
+            <li><code>code_verifier</code> - The original plaintext random string generated before starting the authorization request.</li>
           </ul>
 
           <b>Example request to authorization endpoint</b>
@@ -490,6 +508,7 @@
   &code=xxxxxxxx
   &client_id=https://app.example.com/
   &redirect_uri=https://app.example.com/redirect
+  &code_verifier=a6128783714cfda1d388e2e98b6ae8221ac31aca31959e59512c59f5
   ') ?></pre>
 
           <b>Example request to token endpoint</b>
@@ -502,13 +521,18 @@
 &code=xxxxxxxx
 &client_id=https://app.example.com/
 &redirect_uri=https://app.example.com/redirect
+&code_verifier=a6128783714cfda1d388e2e98b6ae8221ac31aca31959e59512c59f5
 ') ?></pre>
         </section>
 
+          <p>Note that for backwards compatibility, the authorization endpoint MAY allow requests without the <code>code_verifier</code>. If an authorization code was issued with no <code>code_challenge</code> present, then the authorization code exchange MUST NOT include a <code>code_verifier</code>, and similarly, if an authorization code was issued with a <code>code_challenge</code> present, then the authorization code exchange MUST include a <code>code_verifier</code>.</p>
+
         <section>
           <h4>Profile URL Response</h4>
 
-          <p>The authorization endpoint verifies that the authorization code is valid, has not yet been used, and that it was issued for the matching <code>client_id</code> and <code>redirect_uri</code>. If the request is valid, then the endpoint responds with a JSON [[!RFC7159]] object containing one property, <code>me</code>, with the canonical user profile URL for the user who signed in.</p>
+          <p>When the client receives an authorization code that was requested with either no scope or only profile scopes (<a href="#profile-information">defined below</a>), the client will exchange the authorization code at the <b>authorization endpoint</b>, and only the canonical user profile URL and possibly profile information is returned.</p>
+
+          <p>The authorization endpoint verifies that the authorization code is valid, has not yet been used, and that it was issued for the matching <code>client_id</code> and <code>redirect_uri</code>, and checks that the provided <code>code_verifier</code> hashes to the same value as given in the <code>code_challenge</code> in the original authorization request. If the request is valid, then the endpoint responds with a JSON [[!RFC7159]] object containing the property <code>me</code>, with the canonical user profile URL for the user who signed in, and optionally the property <code>profile</code> with the user's profile information as defined in <a href="#profile-information">Profile Information</a>.</p>
 
           <pre class="example nohighlight"><?= htmlspecialchars(
   'HTTP/1.1 200 OK
@@ -518,7 +542,7 @@
     "me": "https://user.example.net/"
   }') ?></pre>
 
-          <p>The resulting profile URL MAY be different from what the user initially entered, but MUST be on the same domain. This gives the authorization endpoint an opportunity to canonicalize the user's URL, such as correcting <code>http</code> to <code>https</code>, or adding a path if required. See <a href="#redirect-examples">Redirect Examples</a> for an example of how a service can allow a user to enter a URL on a domain different from their resulting <code>me</code> profile URL.</p>
+          <p>The resulting profile URL MAY be different from the canonical profile URL as resolved by the client, but MUST be on the same domain. This gives the authorization endpoint an opportunity to canonicalize the user's URL, such as correcting <code>http</code> to <code>https</code>, or adding a path if required. See <a href="#redirect-examples">Redirect Examples</a> for an example of how a service can allow a user to enter a URL on a domain different from their resulting <code>me</code> profile URL, and see <a href="#differing-user-profile-urls">Differing User Profile URLs</a> for security considerations client developers should be aware of.</p>
 
           <p>See OAuth 2.0 [[!RFC6749]] <a href="https://tools.ietf.org/html/rfc6749#section-5.2">Section 5.2</a> for how to respond in the case of errors or other failures.</p>
         </section>
@@ -526,11 +550,13 @@
         <section>
           <h4>Access Token Response</h4>
 
-          <p>The token endpoint needs to verify that the authorization code is valid, and that it was issued for the matching <code>client_id</code> and <code>redirect_uri</code>, and contains at least one <code>scope</code>. If the authorization code was issued with no <code>scope</code>, the token endpoint MUST NOT issue an access token, as empty scopes are invalid per Section 3.3 of OAuth 2.0 [[!RFC6749]].</p>
+          <p>When the client receives an authorization code that was requested with one or more scopes that will result in an access token being returned, the client will exchange the authorization code at the <b>token endpoint</b>.</p>
 
-          <p>The specifics of how the token endpoint verifies the authorization code are out of scope of this document, as typically the authorization endpoint and token endpoint are part of the same system and can share storage or other private communication mechanism.</p>
+          <p>The token endpoint needs to verify that the authorization code is valid, and that it was issued for the matching <code>client_id</code> and <code>redirect_uri</code>, contains at least one <code>scope</code>, and checks that the provided <code>code_verifier</code> hashes to the same value as given in the <code>code_challenge</code> in the original authorization request. If the authorization code was issued with no <code>scope</code>, the token endpoint MUST NOT issue an access token, as empty scopes are invalid per Section 3.3 of OAuth 2.0 [[!RFC6749]].</p>
 
-          <p>If the request is valid, then the token endpoint can generate an access token and return the appropriate response. The token response is a JSON [[!RFC7159]] object containing the OAuth 2.0 Bearer Token [[!RFC6750]], as well as a property <code>me</code>, containing the canonical user profile URL for the user this access token corresponds to. For example:</p>
+          <p>The specifics of how the token endpoint verifies the authorization code are out of scope of this document, as typically the authorization endpoint and token endpoint are part of the same system and can share storage or another private communication mechanism.</p>
+
+          <p>If the request is valid, then the token endpoint can generate an access token and return the appropriate response. The token response is a JSON [[!RFC7159]] object containing the OAuth 2.0 Bearer Token [[!RFC6750]], as well as a property <code>me</code>, containing the canonical user profile URL for the user this access token corresponds to, and optionally the property <code>profile</code> with the user's profile information as defined in <a href="#profile-information">Profile Information</a>. For example:</p>
 
           <pre class="example nohighlight">HTTP/1.1 200 OK
 Content-Type: application/json
@@ -542,10 +568,57 @@
   "me": "https://user.example.net/"
 }</pre>
 
-          <p>The resulting profile URL MAY be different from what the user initially entered, but MUST be on the same domain. This provides the opportunity to canonicalize the user's URL, such as correcting <code>http</code> to <code>https</code>, or adding a path if required. See <a href="#redirect-examples">Redirect Examples</a> for an example of how a service can allow a user to enter a URL on a domain different from their resulting <code>me</code> profile URL.</p>
+          <p>The resulting profile URL MAY be different from the canonical profile URL as resolved by the client, but MUST be on the same domain. This provides the opportunity to canonicalize the user's URL, such as correcting <code>http</code> to <code>https</code>, or adding a path if required. See <a href="#redirect-examples">Redirect Examples</a> for an example of how a service can allow a user to enter a URL on a domain different from their resulting <code>me</code> profile URL.</p>
 
           <p>See OAuth 2.0 [[!RFC6749]] <a href="https://tools.ietf.org/html/rfc6749#section-5.2">Section 5.2</a> for how to respond in the case of errors or other failures.</p>
         </section>
+
+        <section>
+          <h4>Profile Information</h4>
+
+          <h5>Requesting Profile Information</h5>
+
+          <p>If the client would like to request the user's profile information in addition to confirming their profile URL, the client can include one or more scopes in the initial authorization request. The following <code>scope</code> values are defined by this specification to request profile information about the user:</p>
+
+          <ul>
+            <li><code>profile</code> (required) - This scope requests access to the user's default profile information which include the following properties: <code>name</code>, <code>photo</code>, <code>url</code>.</li>
+            <li><code>email</code> - This scope requests access to the user's email address in the following property: <code>email</code>.</li>
+          </ul>
+
+          <p>Note that because the <code>profile</code> scope is required when requesting profile information, the <code>email</code> scope cannot be requested on its own and must be requested along with the <code>profile</code> scope if desired.<p>
+
+          <p>When an authorization code is issued with any of the scopes defined above, then the response when exchanging the authorization code MAY include a new property, <code>profile</code>, alongside the <code>me</code> property in the response from the authorization endpoint or the token endpoint. The <code>profile</code> property is defined as a JSON [[!RFC7159]] object with the properties defined by each scope above.</p>
+
+          <p>For example, a complete response to a request with the scopes <code>profile email create</code>, including an access token and profile information, may look like the following:</p>
+
+          <pre class="example nohighlight">HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+  "access_token": "XXXXXX",
+  "token_type": "Bearer",
+  "scope": "profile email create",
+  "me": "https://user.example.net/",
+  "profile": {
+    "name": "Example User",
+    "url": "https://user.example.net/",
+    "photo": "https://user.example.net/photo.jpg",
+    "email": "user@example.net"
+  }
+}</pre>
+
+          <p>As is always the case with OAuth 2.0, there is no guarantee that the scopes the client requests will be granted by the authorization server or the user. The client should not rely on the presence of profile information even when requesting the profile scope. As such, implementing support for returning profile information from the authorization server is entirely optional.</p>
+
+          <p>The information returned in the <code>profile</code> object is informational, and there is no guarantee that this information is "real" or "verified". The information provided is only what the user has chosen to share with the client, and may even vary depending on which client is requesting this data.</p>
+
+          <p>The client MUST NOT treat the information in the <code>profile</code> object as canonical or authoritative, and MUST NOT make any authentication or identification decisions based on this information.</p>
+
+          <p>For example, attempting to use the <code>email</code> returned in the profile object as a user identifier will lead to security holes, as any user can create an authorization endpoint that returns any email address in the profile response. A client using the email address returned here should treat it the same as if it had been hand-entered in the client application and go through its own verification process before using it.</p>
+
+          <p>Similarly, the <code>url</code> returned in the <code>profile</code> object is not guaranteed to match the <code>me</code> URL, and may even be on a different domain. For example, a multi-author website may use the website's URL as the <code>me</code> URL, but return each specific author's own personal website in the profile data.</p>
+
+        </section>
+
       </section>
 
     </section>
@@ -570,7 +643,7 @@
       <section>
         <h4>Access Token Verification Response</h4>
 
-        <p>The token endpoint verifies the access token using (how this verification is done is up to the implementation), and returns information about the token:</p>
+        <p>The token endpoint verifies the access token (how this verification is done is up to the implementation), and returns information about the token:</p>
 
         <ul>
           <li><code>me</code> - The profile URL of the user corresponding to this token</li>
@@ -742,7 +815,17 @@
       <h2>Change Log</h2>
 
       <section>
-        <h3>Changes from 25 January 2020 to this version</h3>
+        <h3>Changes from 09 August 2020 to this version</h3>
+        <ul>
+          <li>Make the <code>me</code> parameter optional (but recommended) in the authorization request</li>
+          <li>Add the option of returning profile information in the response as well as defining profile scopes</li>
+          <li>Incorporate PKCE into the spec</li>
+          <li>Fixed text about which URL to resolve relative authorization/token endpoint URLs from</li>
+        </ul>
+      </section>
+
+      <section>
+        <h3>Changes from 25 January 2020 to 09 August 2020</h3>
         <ul>
           <li>Drop the <code>me</code> parameter from the token endpoint request</li>
           <li>Consolidate the authentication and authorization sections into a single section, describing only the difference which is the response returned.</li>
diff --git a/public/spec/20200809/index.html b/public/spec/20200809/index.html
new file mode 100644
index 0000000..80abbc8
--- /dev/null
+++ b/public/spec/20200809/index.html
@@ -0,0 +1,886 @@
+<!DOCTYPE html><html lang="en" dir="ltr"><head><meta charset="utf-8"><meta name="generator" content="ReSpec 25.6.0"><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><style>span.example-title{text-transform:none}aside.example,div.example,div.illegal-example{padding:.5em;margin:1em 0;position:relative;clear:both}div.illegal-example{color:red}div.illegal-example p{color:#000}aside.example,div.example{padding:.5em;border-left-width:.5em;border-left-style:solid;border-color:#e0cb52;background:#fcfaee}aside.example div.example{border-left-width:.1em;border-color:#999;background:#fff}aside.example div.example span.example-title{color:#999}</style>
+    <title>IndieAuth</title>
+    
+    
+    
+    
+    
+    <link rel="pingback" href="https://indieauth.net/pingback">
+    <link rel="webmention" href="https://indieauth.net/webmention">
+  <style id="respec-mainstyle">@keyframes pop{0%{transform:scale(1,1)}25%{transform:scale(1.25,1.25);opacity:.75}100%{transform:scale(1,1)}}.hljs{background:0 0!important}a abbr,h1 abbr,h2 abbr,h3 abbr,h4 abbr,h5 abbr,h6 abbr{border:none}dfn{font-weight:700}a.internalDFN{color:inherit;border-bottom:1px solid #99c;text-decoration:none}a.externalDFN{color:inherit;border-bottom:1px dotted #ccc;text-decoration:none}a.bibref{text-decoration:none}.respec-offending-element:target{animation:pop .25s ease-in-out 0s 1}.respec-offending-element,a[href].respec-offending-element{text-decoration:red wavy underline}@supports not (text-decoration:red wavy underline){.respec-offending-element:not(pre){display:inline-block}.respec-offending-element{background:url(data:image/gif;base64,R0lGODdhBAADAPEAANv///8AAP///wAAACwAAAAABAADAEACBZQjmIAFADs=) bottom repeat-x}}#references :target{background:#eaf3ff;animation:pop .4s ease-in-out 0s 1}cite .bibref{font-style:normal}code{color:#c63501}th code{color:inherit}a[href].orcid{padding-left:4px;padding-right:4px}a[href].orcid>svg{margin-bottom:-2px}.toc a,.tof a{text-decoration:none}a .figno,a .secno{color:#000}ol.tof,ul.tof{list-style:none outside none}.caption{margin-top:.5em;font-style:italic}table.simple{border-spacing:0;border-collapse:collapse;border-bottom:3px solid #005a9c}.simple th{background:#005a9c;color:#fff;padding:3px 5px;text-align:left}.simple th a{color:#fff;padding:3px 5px;text-align:left}.simple th[scope=row]{background:inherit;color:inherit;border-top:1px solid #ddd}.simple td{padding:3px 10px;border-top:1px solid #ddd}.simple tr:nth-child(even){background:#f0f6ff}.section dd>p:first-child{margin-top:0}.section dd>p:last-child{margin-bottom:0}.section dd{margin-bottom:1em}.section dl.attrs dd,.section dl.eldef dd{margin-bottom:0}#issue-summary>ul,.respec-dfn-list{column-count:2}#issue-summary li,.respec-dfn-list li{list-style:none}details.respec-tests-details{margin-left:1em;display:inline-block;vertical-align:top}details.respec-tests-details>*{padding-right:2em}details.respec-tests-details[open]{z-index:999999;position:absolute;border:thin solid #cad3e2;border-radius:.3em;background-color:#fff;padding-bottom:.5em}details.respec-tests-details[open]>summary{border-bottom:thin solid #cad3e2;padding-left:1em;margin-bottom:1em;line-height:2em}details.respec-tests-details>ul{width:100%;margin-top:-.3em}details.respec-tests-details>li{padding-left:1em}a[href].self-link:hover{opacity:1;text-decoration:none;background-color:transparent}h2,h3,h4,h5,h6{position:relative}aside.example .marker>a.self-link{color:inherit}h2>a.self-link,h3>a.self-link,h4>a.self-link,h5>a.self-link,h6>a.self-link{border:none;color:inherit;font-size:83%;height:2em;left:-1.6em;opacity:.5;position:absolute;text-align:center;text-decoration:none;top:0;transition:opacity .2s;width:2em}h2>a.self-link::before,h3>a.self-link::before,h4>a.self-link::before,h5>a.self-link::before,h6>a.self-link::before{content:"§";display:block}@media (max-width:767px){dd{margin-left:0}h2>a.self-link,h3>a.self-link,h4>a.self-link,h5>a.self-link,h6>a.self-link{left:auto;top:auto}}@media print{.removeOnSave{display:none}}</style><meta name="description" content="IndieAuth is an identity layer on top of OAuth 2.0 [RFC6749], primarily used to obtain
+        an OAuth 2.0 Bearer Token [RFC6750] for use by [Micropub] clients. End-Users
+        and Clients are all represented by URLs. IndieAuth enables Clients to
+        verify the identity of an End-User, as well as to obtain an access
+        token that can be used to access resources under the control of the End-User."><link rel="canonical" href="https://www.w3.org/TR/indieauth/"><style>.hljs{display:block;overflow-x:auto;padding:.5em;color:#383a42;background:#fafafa}.hljs-comment,.hljs-quote{color:#717277;font-style:italic}.hljs-doctag,.hljs-formula,.hljs-keyword{color:#a626a4}.hljs-deletion,.hljs-name,.hljs-section,.hljs-selector-tag,.hljs-subst{color:#ca4706;font-weight:700}.hljs-literal{color:#0b76c5}.hljs-addition,.hljs-attribute,.hljs-meta-string,.hljs-regexp,.hljs-string{color:#42803c}.hljs-built_in,.hljs-class .hljs-title{color:#9a6a01}.hljs-attr,.hljs-number,.hljs-selector-attr,.hljs-selector-class,.hljs-selector-pseudo,.hljs-template-variable,.hljs-type,.hljs-variable{color:#986801}.hljs-bullet,.hljs-link,.hljs-meta,.hljs-selector-id,.hljs-symbol,.hljs-title{color:#336ae3}.hljs-emphasis{font-style:italic}.hljs-strong{font-weight:700}.hljs-link{text-decoration:underline}</style><style>var{position:relative;cursor:pointer}var[data-type]::after,var[data-type]::before{position:absolute;left:50%;top:-6px;opacity:0;transition:opacity .4s;pointer-events:none}var[data-type]::before{content:"";transform:translateX(-50%);border-width:4px 6px 0 6px;border-style:solid;border-color:transparent;border-top-color:#000}var[data-type]::after{content:attr(data-type);transform:translateX(-50%) translateY(-100%);background:#000;text-align:center;font-family:"Dank Mono","Fira Code",monospace;font-style:normal;padding:6px;border-radius:3px;color:#daca88;text-indent:0;font-weight:400}var[data-type]:hover::after,var[data-type]:hover::before{opacity:1}</style><script id="initialUserConfig" type="application/json">{
+  "useExperimentalStyles": true,
+  "publishDate": "2020-08-09",
+  "specStatus": "NOTE",
+  "previousPublishDate": "2019-03-03",
+  "previousMaturity": "LS",
+  "previousVersionURL": "https://indieauth.spec.indieweb.org/20190303/",
+  "shortName": "indieauth",
+  "lsURI": "https://indieauth.spec.indieweb.org/",
+  "testSuiteURI": "https://indieauth.rocks/",
+  "editors": [
+    {
+      "name": "Aaron Parecki",
+      "url": "https://aaronparecki.com/",
+      "w3cid": "59996"
+    }
+  ],
+  "wg": "Social Web Working Group",
+  "wgURI": "https://www.w3.org/Social/WG",
+  "wgPublicList": "public-socialweb",
+  "wgPatentURI": "https://www.w3.org/2004/01/pp-impl/72531/status",
+  "errata": "https://indieauth.net/errata",
+  "license": "w3c-software-doc",
+  "postProcess": [
+    null,
+    null
+  ],
+  "maxTocLevel": 3,
+  "otherLinks": [
+    {
+      "key": "Repository",
+      "data": [
+        {
+          "value": "Github",
+          "href": "https://github.com/indieweb/indieauth"
+        },
+        {
+          "value": "Issues",
+          "href": "https://github.com/indieweb/indieauth/issues"
+        },
+        {
+          "value": "Commits",
+          "href": "https://github.com/indieweb/indieauth/commits/master"
+        }
+      ]
+    }
+  ],
+  "localBiblio": {
+    "microformats2-parsing": {
+      "title": "Microformats2 Parsing",
+      "href": "https://microformats.org/wiki/microformats2-parsing",
+      "authors": [
+        "Tantek Çelik"
+      ],
+      "status": "Living Specification",
+      "publisher": "microformats.org"
+    },
+    "h-entry": {
+      "title": "h-entry",
+      "href": "https://microformats.org/wiki/h-entry",
+      "authors": [
+        "Tantek Çelik"
+      ],
+      "status": "Living Specification",
+      "publisher": "microformats.org"
+    },
+    "h-app": {
+      "title": "h-app",
+      "href": "https://microformats.org/wiki/h-app",
+      "authors": [
+        "Aaron Parecki"
+      ],
+      "status": "Living Specification",
+      "publisher": "microformats.org",
+      "id": "h-app"
+    },
+    "RelMeAuth": {
+      "title": "RelMeAuth",
+      "href": "https://microformats.org/wiki/RelMeAuth",
+      "authors": [
+        "Tantek Çelik"
+      ],
+      "status": "Living Specification",
+      "publisher": "microformats.org",
+      "id": "relmeauth"
+    },
+    "XFN11": {
+      "title": "XFN 1.1",
+      "href": "https://gmpg.org/xfn/11",
+      "authors": [
+        "Tantek Çelik",
+        "Matthew Mullenweg",
+        "Eric Meyer"
+      ],
+      "status": "Stable",
+      "publisher": "Global Multimedia Protocols Group"
+    },
+    "URL": {
+      "title": "URL Standard",
+      "href": "https://url.spec.whatwg.org/",
+      "authors": [
+        "Anne van Kesteren"
+      ],
+      "status": "Living Standard",
+      "publisher": "WHATWG",
+      "id": "url"
+    }
+  },
+  "publishISODate": "2020-08-09T00:00:00.000Z",
+  "generatedSubtitle": "Working Group Note 09 August 2020"
+}</script><link rel="stylesheet" href="https://www.w3.org/StyleSheets/TR/2016/W3C-NOTE"></head>
+  <body class="h-entry informative" style="background-image: url(&quot;https://spec.indieweb.org/INDIEWEB-LIVING-STANDARD.svg&quot;);"><div class="head">
+    <a class="logo" href="https://www.w3.org/"><img alt="W3C" width="120" height="100" src="https://spec.indieweb.org/index_files/logo.svg"></a> <h1 id="title" class="title">IndieAuth</h1>
+    
+    <h2>IndieWeb Living Standard 09 August 2020</h2>
+    <dl>
+      <dt>This version:</dt><dd>
+              <a class="u-url" href="https://indieauth.spec.indieweb.org/20200809/">https://indieauth.spec.indieweb.org/20200809/</a>
+            </dd>
+      
+      <dt>Test suite:</dt><dd><a href="https://indieauth.rocks/">https://indieauth.rocks/</a></dd>
+      
+      
+      <dt>Previous version:</dt><dd><a href="https://indieauth.spec.indieweb.org/20200125/">https://indieauth.spec.indieweb.org/20200125/</a></dd>
+      
+      <dt>Editor:</dt>
+      <dd class="p-author h-card vcard" data-editor-id="59996"><a class="u-url url p-name fn" href="https://aaronparecki.com/">Aaron Parecki</a></dd>
+      
+      
+      <dt>Repository:</dt><dd>
+    <a href="https://github.com/indieweb/indieauth">Github</a>
+  </dd><dd>
+    <a href="https://github.com/indieweb/indieauth/issues">Issues</a>
+  </dd><dd>
+    <a href="https://github.com/indieweb/indieauth/commits/master">Commits</a>
+  </dd>
+    </dl>
+    <p>
+          Please check the
+          <a href="https://indieauth.net/errata"><strong>errata</strong></a> for any errors or
+          issues reported since publication.
+        </p>
+    
+    
+    <p class="copyright"><b>License:</b> Per <a href="https://creativecommons.org/publicdomain/zero/1.0/">CC0</a>, to the extent possible under law, the editor(s) and contributors have waived all copyright and related or neighboring rights to this work. In addition, the editor(s) and contributors have made this specification available under the <a href="http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0">Open Web Foundation Agreement Version 1.0</a>.</p>
+    <hr title="Separator for header">
+  </div>
+    <section id="abstract" class="introductory"><h2>Abstract</h2>
+      <p id="abstract-p-1">
+        IndieAuth is an identity layer on top of OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>], primarily used to obtain
+        an OAuth 2.0 Bearer Token [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6750" title="The OAuth 2.0 Authorization Framework: Bearer Token Usage">RFC6750</a></cite>] for use by [<cite><a class="bibref" data-link-type="biblio" href="#bib-micropub" title="Micropub">Micropub</a></cite>] clients. End-Users
+        and Clients are all represented by URLs. IndieAuth enables Clients to
+        verify the identity of an End-User, as well as to obtain an access
+        token that can be used to access resources under the control of the End-User.
+      </p>
+
+      <section id="authorsnote" class="informative">
+        <h3 id="author-s-note">Author's Note<a class="self-link" aria-label="§" href="#authorsnote"></a></h3><p id="authorsnote-p-1"><em>This section is non-normative.</em></p>
+        <p id="authorsnote-p-2">This specification was contributed to the <abbr title="World Wide Web Consortium">W3C</abbr> from the
+          <a href="https://indieweb.org/">IndieWeb</a> community. More
+          history and evolution of IndieAuth can be found on the
+          <a href="https://indieweb.org/IndieAuth-spec">IndieWeb wiki</a>.</p>
+      </section>
+    </section>
+
+    <section id="sotd" class="introductory"><h2>Status of This Document</h2>
+    <p>This document was published by the IndieWeb community as a Living Standard.</p><p>Per <a href="https://creativecommons.org/publicdomain/zero/1.0/">CC0</a>, to the extent possible under law, the editor(s) and contributors have waived all copyright and related or neighboring rights to this work. In addition, the editor(s) and contributors have made this specification available under the <a href="http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0">Open Web Foundation Agreement Version 1.0</a>.</p></section><nav id="toc"><h2 class="introductory" id="table-of-contents">Table of Contents</h2><ol class="toc"><li class="tocline"><a class="tocxref" href="#introduction"><bdi class="secno">1. </bdi>Introduction</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#background"><bdi class="secno">1.1 </bdi>Background</a></li><li class="tocline"><a class="tocxref" href="#oauth-2-0-extension"><bdi class="secno">1.2 </bdi>OAuth 2.0 Extension</a></li></ol></li><li class="tocline"><a class="tocxref" href="#conformance"><bdi class="secno">2. </bdi>Conformance</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#conformance-classes"><bdi class="secno">2.1 </bdi>Conformance Classes</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#authorization-endpoint"><bdi class="secno">2.1.1 </bdi>Authorization Endpoint</a></li><li class="tocline"><a class="tocxref" href="#token-endpoint"><bdi class="secno">2.1.2 </bdi>Token Endpoint</a></li><li class="tocline"><a class="tocxref" href="#micropub-client"><bdi class="secno">2.1.3 </bdi>Micropub Client</a></li><li class="tocline"><a class="tocxref" href="#indieauth-client"><bdi class="secno">2.1.4 </bdi>IndieAuth Client</a></li></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#identifiers"><bdi class="secno">3. </bdi>Identifiers</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#user-profile-url"><bdi class="secno">3.1 </bdi>User Profile URL</a></li><li class="tocline"><a class="tocxref" href="#client-identifier"><bdi class="secno">3.2 </bdi>Client Identifier</a></li><li class="tocline"><a class="tocxref" href="#url-canonicalization"><bdi class="secno">3.3 </bdi>URL Canonicalization</a></li></ol></li><li class="tocline"><a class="tocxref" href="#discovery"><bdi class="secno">4. </bdi>Discovery</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#discovery-by-clients"><bdi class="secno">4.1 </bdi>Discovery by Clients</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#redirect-examples"><bdi class="secno">4.1.1 </bdi>Redirect Examples</a><ol class="toc"></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#client-information-discovery"><bdi class="secno">4.2 </bdi>Client Information Discovery</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#application-information"><bdi class="secno">4.2.1 </bdi>Application Information</a></li><li class="tocline"><a class="tocxref" href="#redirect-url"><bdi class="secno">4.2.2 </bdi>Redirect URL</a></li></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#authorization"><bdi class="secno">5. </bdi>Authorization</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#discovery-0"><bdi class="secno">5.1 </bdi>Discovery</a></li><li class="tocline"><a class="tocxref" href="#authorization-request"><bdi class="secno">5.2 </bdi>Authorization Request</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#authorization-response"><bdi class="secno">5.2.1 </bdi>Authorization Response</a></li></ol></li><li class="tocline"><a class="tocxref" href="#redeeming-the-authorization-code"><bdi class="secno">5.3 </bdi>Redeeming the Authorization Code</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#request"><bdi class="secno">5.3.1 </bdi>Request</a></li><li class="tocline"><a class="tocxref" href="#profile-url-response"><bdi class="secno">5.3.2 </bdi>Profile URL Response</a></li><li class="tocline"><a class="tocxref" href="#access-token-response"><bdi class="secno">5.3.3 </bdi>Access Token Response</a></li></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#access-token-verification"><bdi class="secno">6. </bdi>Access Token Verification</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#access-token-verification-request"><bdi class="secno">6.1 </bdi>Access Token Verification Request</a></li><li class="tocline"><a class="tocxref" href="#access-token-verification-response"><bdi class="secno">6.2 </bdi>Access Token Verification Response</a></li></ol></li><li class="tocline"><a class="tocxref" href="#token-revocation"><bdi class="secno">7. </bdi>Token Revocation</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#token-revocation-request"><bdi class="secno">7.1 </bdi>Token Revocation Request</a></li></ol></li><li class="tocline"><a class="tocxref" href="#security-considerations"><bdi class="secno">8. </bdi>Security Considerations</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#differing-user-profile-urls"><bdi class="secno">8.1 </bdi>Differing User Profile URLs</a></li><li class="tocline"><a class="tocxref" href="#preventing-phishing-and-redirect-attacks"><bdi class="secno">8.2 </bdi>Preventing Phishing and Redirect Attacks</a></li></ol></li><li class="tocline"><a class="tocxref" href="#iana-considerations"><bdi class="secno">9. </bdi>IANA Considerations</a></li><li class="tocline"><a class="tocxref" href="#resources"><bdi class="secno">A. </bdi>Resources</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#articles"><bdi class="secno">A.1 </bdi>Articles</a></li><li class="tocline"><a class="tocxref" href="#implementations"><bdi class="secno">A.2 </bdi>Implementations</a></li></ol></li><li class="tocline"><a class="tocxref" href="#acknowledgements"><bdi class="secno">B. </bdi>Acknowledgements</a></li><li class="tocline"><a class="tocxref" href="#change-log"><bdi class="secno">C. </bdi>Change Log</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#changes-from-25-january-2020-to-this-version"><bdi class="secno">C.1 </bdi>Changes from 25 January 2020 to this version</a></li><li class="tocline"><a class="tocxref" href="#changes-from-03-march-2019-to-25-january-2020"><bdi class="secno">C.2 </bdi>Changes from 03 March 2019 to 25 January 2020</a></li><li class="tocline"><a class="tocxref" href="#changes-from-07-july-2018-to-03-march-2019"><bdi class="secno">C.3 </bdi>Changes from 07 July 2018 to 03 March 2019</a></li><li class="tocline"><a class="tocxref" href="#changes-from-23-january-2018-to-07-july-2018"><bdi class="secno">C.4 </bdi>Changes from <span class="formerLink">23 January 2018</span> to 07 July 2018</a></li><li class="tocline"><a class="tocxref" href="#changes-from-07-july-2018-to-03-march-2019-0"><bdi class="secno">C.5 </bdi>Changes from 07 July 2018 to 03 March 2019</a></li></ol></li><li class="tocline"><a class="tocxref" href="#references"><bdi class="secno">D. </bdi>References</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#normative-references"><bdi class="secno">D.1 </bdi>
+        Normative references
+      </a></li><li class="tocline"><a class="tocxref" href="#informative-references"><bdi class="secno">D.2 </bdi>
+        Informative references
+      </a></li></ol></li></ol></nav>
+
+    <section id="introduction">
+      <h2 id="x1-introduction"><bdi class="secno">1. </bdi>Introduction<a class="self-link" aria-label="§" href="#introduction"></a></h2>
+
+      <section class="informative" id="background">
+        <h3 id="x1-1-background"><bdi class="secno">1.1 </bdi>Background<a class="self-link" aria-label="§" href="#background"></a></h3><p id="background-p-1"><em>This section is non-normative.</em></p>
+
+        <p id="background-p-2">The IndieAuth spec began as a way to obtain an OAuth 2.0 access token for use by Micropub clients. It can be used to both obtain an access token, as well as authenticate users signing to any application. It is built on top of the OAuth 2.0 framework, and while this document should provide enough guidance for implementers, referring to the core OAuth 2.0 spec can help answer any remaining questions. More information can be found <a href="https://indieweb.org/IndieAuth-spec">on the IndieWeb wiki</a>.</p>
+      </section>
+
+      <section class="normative" id="oauth-2-0-extension">
+        <h3 id="x1-2-oauth-2-0-extension"><bdi class="secno">1.2 </bdi>OAuth 2.0 Extension<a class="self-link" aria-label="§" href="#oauth-2-0-extension"></a></h3>
+
+        <p id="oauth-2-0-extension-p-1">IndieAuth builds upon the OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>] Framework as follows</p>
+
+        <ul>
+          <li id="oauth-2-0-extension-li-1">Specifies a format for user identifiers (a resolvable URL)</li>
+          <li id="oauth-2-0-extension-li-2">Specifies a method of discovering the authorization and token endpoints given a profile URL</li>
+          <li id="oauth-2-0-extension-li-3">Specifies a format for the Client ID (a resolvable URL)</li>
+          <li id="oauth-2-0-extension-li-4">All clients are public clients (no <code>client_secret</code> is used)</li>
+          <li id="oauth-2-0-extension-li-5">Client registration at the authorization endpoint is not necessary, since client IDs are resolvable URLs</li>
+          <li id="oauth-2-0-extension-li-6">Redirect URL registration happens by verifying data fetched at the Client ID URL</li>
+          <li id="oauth-2-0-extension-li-7">Specifies a mechanism for returning the user identifier for the user who authorized a request</li>
+          <li id="oauth-2-0-extension-li-8">Specifies a mechanism for verifying authorization codes</li>
+          <li id="oauth-2-0-extension-li-9">Specifies a mechanism for a token endpoint and authorization endpoint to communicate</li>
+        </ul>
+
+        <p id="oauth-2-0-extension-p-2">Additionally, the parameters defined by OAuth 2.0 (in particular <code>state</code>, <code>code</code>, and <code>scope</code>) follow the same syntax requirements as defined by Appendix A of OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>].</p>
+      </section>
+    </section>
+
+    <section class="normative" id="conformance">
+      <h2 id="x2-conformance"><bdi class="secno">2. </bdi>Conformance<a class="self-link" aria-label="§" href="#conformance"></a></h2>
+
+      <p id="conformance-p-1">The key words "<em class="rfc2119" title="MUST">MUST</em>", "<em class="rfc2119" title="MUST NOT">MUST NOT</em>", "<em class="rfc2119" title="REQUIRED">REQUIRED</em>", "<em class="rfc2119" title="SHALL">SHALL</em>", "<em class="rfc2119" title="SHALL NOT">SHALL NOT</em>",
+      "<em class="rfc2119" title="SHOULD">SHOULD</em>", "<em class="rfc2119" title="SHOULD NOT">SHOULD NOT</em>", "<em class="rfc2119" title="RECOMMENDED">RECOMMENDED</em>", "<em class="rfc2119" title="MAY">MAY</em>", and "<em class="rfc2119" title="OPTIONAL">OPTIONAL</em>" in this
+      document are to be interpreted as described in [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc2119" title="Key words for use in RFCs to Indicate Requirement Levels">RFC2119</a></cite>].</p>
+
+      <section id="conformance-classes">
+        <h3 id="x2-1-conformance-classes"><bdi class="secno">2.1 </bdi>Conformance Classes<a class="self-link" aria-label="§" href="#conformance-classes"></a></h3>
+
+        <p id="conformance-classes-p-1">An IndieAuth implementation can implement one or more of the roles of an IndieAuth server or client. This section describes the conformance criteria for each role.</p>
+
+        <p id="conformance-classes-p-2">Listed below are known types of IndieAuth implementations.</p>
+
+        <section id="authorization-endpoint">
+          <h4 id="x2-1-1-authorization-endpoint"><bdi class="secno">2.1.1 </bdi>Authorization Endpoint<a class="self-link" aria-label="§" href="#authorization-endpoint"></a></h4>
+          <p id="authorization-endpoint-p-1">An IndieAuth Authorization Endpoint is responsible for obtaining authentication or authorization consent from the end user and generating and verifying authorization codes.</p>
+        </section>
+
+        <section id="token-endpoint">
+          <h4 id="x2-1-2-token-endpoint"><bdi class="secno">2.1.2 </bdi>Token Endpoint<a class="self-link" aria-label="§" href="#token-endpoint"></a></h4>
+          <p id="token-endpoint-p-1">An IndieAuth Token Endpoint is responsible for generating and verifying OAuth 2.0 Bearer Tokens.</p>
+        </section>
+
+        <section id="micropub-client">
+          <h4 id="x2-1-3-micropub-client"><bdi class="secno">2.1.3 </bdi>Micropub Client<a class="self-link" aria-label="§" href="#micropub-client"></a></h4>
+          <p id="micropub-client-p-1">A Micropub client will attempt to obtain an OAuth 2.0 Bearer Token given an IndieAuth profile URL, and will use the token when making Micropub requests.</p>
+        </section>
+
+        <section id="indieauth-client">
+          <h4 id="x2-1-4-indieauth-client"><bdi class="secno">2.1.4 </bdi>IndieAuth Client<a class="self-link" aria-label="§" href="#indieauth-client"></a></h4>
+          <p id="indieauth-client-p-1">An IndieAuth client is a client that is attempting to authenticate a user given their profile URL, but does not need an OAuth 2.0 Bearer Token.</p>
+        </section>
+
+      </section>
+    </section>
+
+    <section class="normative" id="identifiers">
+      <h2 id="x3-identifiers"><bdi class="secno">3. </bdi>Identifiers<a class="self-link" aria-label="§" href="#identifiers"></a></h2>
+
+      <section id="user-profile-url">
+        <h3 id="x3-1-user-profile-url"><bdi class="secno">3.1 </bdi>User Profile URL<a class="self-link" aria-label="§" href="#user-profile-url"></a></h3>
+
+        <p id="user-profile-url-p-1">Users are identified by a [<cite><a class="bibref" data-link-type="biblio" href="#bib-url" title="URL Standard">URL</a></cite>]. Profile URLs <em class="rfc2119" title="MUST">MUST</em> have either an <code>https</code> or <code>http</code> scheme, <em class="rfc2119" title="MUST">MUST</em> contain a path component (<code>/</code> is a valid path), <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain single-dot or double-dot path segments, <em class="rfc2119" title="MAY">MAY</em> contain a query string component, <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain a fragment component, <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain a username or password component, and <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain a port. Additionally, hostnames <em class="rfc2119" title="MUST">MUST</em> be domain names and <em class="rfc2119" title="MUST NOT">MUST NOT</em> be ipv4 or ipv6 addresses.</p>
+
+        <p id="user-profile-url-p-2">Some examples of valid profile URLs are:</p>
+
+        <ul>
+          <li id="user-profile-url-li-1"><code>https://example.com/</code></li>
+          <li id="user-profile-url-li-2"><code>https://example.com/username</code></li>
+          <li id="user-profile-url-li-3"><code>https://example.com/users?id=100</code></li>
+        </ul>
+
+        <p id="user-profile-url-p-3">Some examples of invalid profile URLs are:</p>
+        <ul>
+          <li id="user-profile-url-li-4"><s><code>example.com</code></s> - missing scheme</li>
+          <li id="user-profile-url-li-5"><s><code>mailto:user@example.com</code></s> - invalid scheme</li>
+          <li id="user-profile-url-li-6"><s><code>https://example.com/foo/../bar</code></s> - contains a double-dot path segment</li>
+          <li id="user-profile-url-li-7"><s><code>https://example.com/#me</code></s> - contains a fragment</li>
+          <li id="user-profile-url-li-8"><s><code>https://user:pass@example.com/</code></s> - contains a username and password</li>
+          <li id="user-profile-url-li-9"><s><code>https://example.com:8443/</code></s> - contains a port</li>
+          <li id="user-profile-url-li-10"><s><code>https://172.28.92.51/</code></s> - host is an IP address</li>
+        </ul>
+      </section>
+
+      <section id="client-identifier">
+        <h3 id="x3-2-client-identifier"><bdi class="secno">3.2 </bdi>Client Identifier<a class="self-link" aria-label="§" href="#client-identifier"></a></h3>
+
+        <p id="client-identifier-p-1">Clients are identified by a [<cite><a class="bibref" data-link-type="biblio" href="#bib-url" title="URL Standard">URL</a></cite>]. Client identifier URLs <em class="rfc2119" title="MUST">MUST</em> have either an <code>https</code> or <code>http</code> scheme, <em class="rfc2119" title="MUST">MUST</em> contain a path component, <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain single-dot or double-dot path segments, <em class="rfc2119" title="MAY">MAY</em> contain a query string component, <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain a fragment component, <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain a username or password component, and <em class="rfc2119" title="MAY">MAY</em> contain a port. Additionally, hostnames <em class="rfc2119" title="MUST">MUST</em> be domain names or a loopback interface and <em class="rfc2119" title="MUST NOT">MUST NOT</em> be IPv4 or IPv6 addresses except for IPv4 <code>127.0.0.1</code> or IPv6 <code>[::1]</code>.</p>
+      </section>
+
+      <section id="url-canonicalization">
+        <h3 id="x3-3-url-canonicalization"><bdi class="secno">3.3 </bdi>URL Canonicalization<a class="self-link" aria-label="§" href="#url-canonicalization"></a></h3>
+
+        <p id="url-canonicalization-p-1">Since IndieAuth uses https/http URLs which fall under what [<cite><a class="bibref" data-link-type="biblio" href="#bib-url" title="URL Standard">URL</a></cite>] calls "<a href="https://url.spec.whatwg.org/#special-scheme">Special URLs</a>", a string with no path component is not a valid [<cite><a class="bibref" data-link-type="biblio" href="#bib-url" title="URL Standard">URL</a></cite>]. As such, if a URL with no path component is ever encountered, it <em class="rfc2119" title="MUST">MUST</em> be treated as if it had the path <code>/</code>. For example, if a user enters <code>https://example.com</code> as their profile URL, the client <em class="rfc2119" title="MUST">MUST</em> transform it to <code>https://example.com/</code> when using it and comparing it.</p>
+
+        <p id="url-canonicalization-p-2">Since domain names are case insensitive, the hostname component of the URL <em class="rfc2119" title="MUST">MUST</em> be compared case insensitively. Implementations <em class="rfc2119" title="SHOULD">SHOULD</em> convert the hostname to lowercase when storing and using URLs.</p>
+
+        <p id="url-canonicalization-p-3">For ease of use, clients <em class="rfc2119" title="MAY">MAY</em> allow users to enter just a hostname part of the URL, in which case the client <em class="rfc2119" title="MUST">MUST</em> turn that into a valid URL before beginning the IndieAuth flow, by prepending a either an <code>http</code> or <code>https</code> scheme and appending the path <code>/</code>. For example, if the user enters <code>example.com</code>, the client transforms it into <code>http://example.com/</code> before beginning discovery.</p>
+      </section>
+
+    </section>
+
+    <section class="normative" id="discovery">
+      <h2 id="x4-discovery"><bdi class="secno">4. </bdi>Discovery<a class="self-link" aria-label="§" href="#discovery"></a></h2>
+
+      <p id="discovery-p-1">This specification uses the link rel registry as defined by [<cite><a class="bibref" data-link-type="biblio" href="#bib-html" title="HTML Standard">HTML</a></cite>]
+        for both HTML and HTTP link relations.</p>
+
+      <section id="discovery-by-clients">
+        <h3 id="x4-1-discovery-by-clients"><bdi class="secno">4.1 </bdi>Discovery by Clients<a class="self-link" aria-label="§" href="#discovery-by-clients"></a></h3>
+
+        <p id="discovery-by-clients-p-1">Clients need to discover a few pieces of information when a user signs in. The client needs to discover the user's <code>authorization_endpoint</code>, and optionally <code>token_endpoint</code> if the client needs an access token. When using the Authorization flow to obtain an access token for use at a [<cite><a class="bibref" data-link-type="biblio" href="#bib-micropub" title="Micropub">Micropub</a></cite>] endpoint, the client will also discover the <code>micropub</code> endpoint.</p>
+
+        <p id="discovery-by-clients-p-2">Clients <em class="rfc2119" title="MUST">MUST</em> start by making a GET or HEAD request to [<cite><a class="bibref" data-link-type="biblio" href="#bib-fetch" title="Fetch Standard">Fetch</a></cite>] the user's profile URL to discover the necessary values. Clients <em class="rfc2119" title="MUST">MUST</em> follow HTTP redirects (up to a self-imposed limit). If an HTTP permament redirect (HTTP 301 or 308) is encountered, the client <em class="rfc2119" title="MUST">MUST</em> use the resulting URL as the canonical profile URL. If an HTTP temporary redirect (HTTP 302 or 307) is encountered, the client <em class="rfc2119" title="MUST">MUST</em> use the previous URL as the profile URL, but use the redirected-to page for discovery.</p>
+
+        <p id="discovery-by-clients-p-3">Clients <em class="rfc2119" title="MUST">MUST</em> check for an HTTP <code>Link</code> header [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc8288" title="Web Linking">RFC8288</a></cite>] with the appropriate <code>rel</code> value. If the content type of the document is HTML, then the client <em class="rfc2119" title="MUST">MUST</em> check for an HTML <code>&lt;link&gt;</code> element with the appropriate <code>rel</code> value. If more than one of these is present, the first HTTP <code>Link</code> header takes precedence, followed by the first <code>&lt;link&gt;</code> element in document order.</p>
+
+        <p id="discovery-by-clients-p-4">The endpoints discovered <em class="rfc2119" title="MAY">MAY</em> be relative URLs, in which case the client <em class="rfc2119" title="MUST">MUST</em> resolve them relative to the profile URL according to [<cite><a class="bibref" data-link-type="biblio" href="#bib-url" title="URL Standard">URL</a></cite>].</p>
+
+        <p id="discovery-by-clients-p-5">Clients <em class="rfc2119" title="MAY">MAY</em> initially make an HTTP HEAD request [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7231" title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">RFC7231</a></cite>] to follow redirects and check for the <code>Link</code> header before making a GET request.</p>
+
+        <section id="redirect-examples">
+          <h4 id="x4-1-1-redirect-examples"><bdi class="secno">4.1.1 </bdi>Redirect Examples<a class="self-link" aria-label="§" href="#redirect-examples"></a></h4>
+
+          <section id="http-to-https">
+            <h5 id="x4-1-1-1-http-to-https"><bdi class="secno">4.1.1.1 </bdi>http to https<a class="self-link" aria-label="§" href="#http-to-https"></a></h5>
+            <p id="http-to-https-p-1">In this example, the user enters <code>example.com</code> in the sign-in form, so the client initially transforms that to <code>http://example.com/</code> to perform discovery. The URL <code>http://example.com/</code> returns an HTTP 301 permanent redirect to <code>https://example.com/</code>, so the client updates the initial profile URL to <code>https://example.com/</code>, and looks at the contents of that page to find the authorization endpoint.</p>
+          </section>
+
+          <section id="www-to-no-www">
+            <h5 id="x4-1-1-2-www-to-no-www"><bdi class="secno">4.1.1.2 </bdi>www to no-www<a class="self-link" aria-label="§" href="#www-to-no-www"></a></h5>
+            <p id="www-to-no-www-p-1">In this example, the user enters <code>www.example.com</code> in the sign-in form, so the client initially transforms that to <code>http://www.example.com/</code> to perform discovery. The URL <code>http://www.example.com/</code> returns an HTTP 301 permanent redirect to <code>https://example.com/</code>, so the client updates the initial profile URL to <code>https://example.com/</code>, and looks at the contents of that page to find the authorization endpoint.</p>
+          </section>
+
+          <section id="temporary-redirect">
+            <h5 id="x4-1-1-3-temporary-redirect"><bdi class="secno">4.1.1.3 </bdi>Temporary Redirect<a class="self-link" aria-label="§" href="#temporary-redirect"></a></h5>
+            <p id="temporary-redirect-p-1">In this example, the user enters <code>example.com</code> in the sign-in form, so the client initially transforms that to <code>http://example.com/</code> to perform discovery. The URL <code>http://example.com/</code> returns an HTTP 301 permanent redirect to <code>https://example.com/</code>, and <code>https://example.com/</code> returns an HTTP 302 temporary redirect to <code>https://example.com/username</code>. The client stores the last 301 permanent redirect as the profile URL, <code>https://example.com/</code>, and uses the contents of <code>https://example.com/username</code> to find the authorization endpoint.</p>
+          </section>
+
+          <section id="permanent-redirect-to-a-different-domain">
+            <h5 id="x4-1-1-4-permanent-redirect-to-a-different-domain"><bdi class="secno">4.1.1.4 </bdi>Permanent Redirect to a Different Domain<a class="self-link" aria-label="§" href="#permanent-redirect-to-a-different-domain"></a></h5>
+            <p id="permanent-redirect-to-a-different-domain-p-1">In this example, the user enters <code>username.example</code> in the sign-in form, so the client initially transforms that to <code>http://username.example/</code> to perform discovery. However, the user does not host any content there, and instead that page is a redirect to their profile elsewhere. The URL <code>http://username.example/</code> returns an HTTP 301 permanent redirect to <code>https://example.com/username</code>, so the client updates the initial profile URL to <code>https://example.com/username</code> when setting the <code>me</code> parameter in the initial request. At the end of the flow, the authorization endpoint will return a <code>me</code> value of <code>https://example.com/username</code>, which is not on the same domain as what the user entered, but the client can accept it because of the HTTP 301 redirect encountered during discovery.</p>
+          </section>
+
+          <section id="temporary-redirect-to-a-different-domain">
+            <h5 id="x4-1-1-5-temporary-redirect-to-a-different-domain"><bdi class="secno">4.1.1.5 </bdi>Temporary Redirect to a Different Domain<a class="self-link" aria-label="§" href="#temporary-redirect-to-a-different-domain"></a></h5>
+            <p id="temporary-redirect-to-a-different-domain-p-1">In this example, the user enters <code>username.example</code> in the sign-in form, so the client initially transforms that to <code>http://username.example/</code> to perform discovery. However, the user does not host any content there, and instead that page is a temporary redirect to their profile elsewhere. The URL <code>http://username.example/</code> returns an HTTP 302 temporary redirect to <code>https://example.com/username</code>, so the client discovers the authorization endpoint at that URL. Since the redirect is temporary, the client still uses the user-entered <code>http://username.example/</code> when setting the <code>me</code> parameter in the initial request. At the end of the flow, the authorization endpoint will return a <code>me</code> value of <code>https://username.example/</code>, which is not on the same domain as the authorization endpoint, but is the same domain as the user entered. This allows users to still use a profile URL under their control while delegating the authentication or authorization flow to an external account.</p>
+          </section>
+        </section>
+      </section>
+
+      <section id="client-information-discovery">
+        <h3 id="x4-2-client-information-discovery"><bdi class="secno">4.2 </bdi>Client Information Discovery<a class="self-link" aria-label="§" href="#client-information-discovery"></a></h3>
+
+        <p id="client-information-discovery-p-1">When an authorization server presents its <a href="https://www.oauth.com/oauth2-servers/authorization/the-authorization-interface/">authorization interface</a>, it will often want to display some additional information about the client beyond just the <code>client_id</code> URL, in order to better inform the user about the request being made. Additionally, the authorization server needs to know the list of redirect URLs that the client is allowed to redirect to.</p>
+
+        <p id="client-information-discovery-p-2">Since client identifiers are URLs, the authorization server <em class="rfc2119" title="SHOULD">SHOULD</em> [<cite><a class="bibref" data-link-type="biblio" href="#bib-fetch" title="Fetch Standard">Fetch</a></cite>] the URL to find more information about the client.</p>
+
+        <section id="application-information">
+          <h4 id="x4-2-1-application-information"><bdi class="secno">4.2.1 </bdi>Application Information<a class="self-link" aria-label="§" href="#application-information"></a></h4>
+
+          <p id="application-information-p-1">Clients <em class="rfc2119" title="SHOULD">SHOULD</em> have a web page at their <code>client_id</code> URL with basic information about the application, at least the application's name and icon. This page serves as a good landing page for human visitors, but can also serve as the place to include machine-readable information about the application. The HTML on the <code>client_id</code> URL <em class="rfc2119" title="SHOULD">SHOULD</em> be marked up with [<cite><a class="bibref" data-link-type="biblio" href="#bib-h-app" title="h-app">h-app</a></cite>] Microformat to indicate the name and icon of the application. Authorization servers <em class="rfc2119" title="SHOULD">SHOULD</em> support parsing the [<cite><a class="bibref" data-link-type="biblio" href="#bib-h-app" title="h-app">h-app</a></cite>] Microformat from the <code>client_id</code>, and if there is an [<cite><a class="bibref" data-link-type="biblio" href="#bib-h-app" title="h-app">h-app</a></cite>] with a <code>url</code> property matching the <code>client_id</code> URL, then it should use the name and icon and display them on the authorization prompt.</p>
+
+          <div class="example" id="example-1">
+        <div class="marker">
+    <a class="self-link" href="#example-1">Example<bdi> 1</bdi></a>
+  </div> <pre aria-busy="false"><code class="hljs javascript">&lt;div <span class="hljs-class"><span class="hljs-keyword">class</span></span>=<span class="hljs-string">"h-app"</span>&gt;
+  <span class="xml"><span class="hljs-tag">&lt;<span class="hljs-name">img</span> <span class="hljs-attr">src</span>=<span class="hljs-string">"/logo.png"</span> <span class="hljs-attr">class</span>=<span class="hljs-string">"u-logo"</span>&gt;</span>
+  <span class="hljs-tag">&lt;<span class="hljs-name">a</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"/"</span> <span class="hljs-attr">class</span>=<span class="hljs-string">"u-url p-name"</span>&gt;</span>Example App<span class="hljs-tag">&lt;/<span class="hljs-name">a</span>&gt;</span>
+<span class="hljs-tag">&lt;/<span class="hljs-name">div</span>&gt;</span></span></code></pre>
+      </div>
+
+          <p id="application-information-p-2">This can be parsed with a <a href="http://microformats.org/wiki/microformats2#Parsers">Microformats2 parser</a>, which will result in the following JSON structure.</p>
+
+          <div class="example" id="example-2">
+        <div class="marker">
+    <a class="self-link" href="#example-2">Example<bdi> 2</bdi></a>
+  </div> <pre aria-busy="false"><code class="hljs json">{
+  <span class="hljs-attr">"type"</span>: [
+    <span class="hljs-string">"h-app"</span>
+  ],
+  <span class="hljs-attr">"properties"</span>: {
+    <span class="hljs-attr">"name"</span>: [<span class="hljs-string">"Example App"</span>],
+    <span class="hljs-attr">"logo"</span>: [<span class="hljs-string">"https://app.example.com/logo.png"</span>],
+    <span class="hljs-attr">"url"</span>: [<span class="hljs-string">"https://app.example.com/"</span>]
+  }
+}</code></pre>
+      </div>
+        </section>
+
+        <section id="redirect-url">
+          <h4 id="x4-2-2-redirect-url"><bdi class="secno">4.2.2 </bdi>Redirect URL<a class="self-link" aria-label="§" href="#redirect-url"></a></h4>
+
+          <p id="redirect-url-p-1">If a client wishes to use a redirect URL that is on a different domain than their <code>client_id</code>, or if the redirect URL uses a custom scheme (such as when the client is a native application), then the client will need to whitelist those redirect URLs so that authorization endpoints can be sure it is safe to redirect users there. The client <em class="rfc2119" title="SHOULD">SHOULD</em> publish one or more <code>&lt;link&gt;</code> tags or <code>Link</code> HTTP headers with a <code>rel</code> attribute of <code>redirect_uri</code> at the <code>client_id</code> URL.</p>
+
+          <p id="redirect-url-p-2">Authorization endpoints verifying that a <code>redirect_uri</code> is allowed for use by a client <em class="rfc2119" title="MUST">MUST</em> look for an exact match of the given <code>redirect_uri</code> in the request against the list of <code>redirect_uri</code>s discovered after resolving any relative URLs.</p>
+
+          <div class="example" id="example-3">
+        <div class="marker">
+    <a class="self-link" href="#example-3">Example<bdi> 3</bdi></a>
+  </div> <pre aria-busy="false"><code class="hljs http"><span class="hljs-keyword">GET</span> <span class="hljs-string">/</span> HTTP/1.1
+<span class="hljs-attribute">Host</span>: app.example.com
+
+<span class="http">HTTP/1.1 <span class="hljs-number">200</span> Ok
+<span class="hljs-attribute">Content-type</span>: text/html; charset=utf-8
+<span class="hljs-attribute">Link</span>: &lt;https://app.example.com/redirect&gt;; rel="redirect_uri"
+
+<span class="xml"><span class="hljs-meta">&lt;!doctype <span class="hljs-meta-keyword">html</span>&gt;</span>
+<span class="hljs-tag">&lt;<span class="hljs-name">html</span>&gt;</span>
+  <span class="hljs-tag">&lt;<span class="hljs-name">head</span>&gt;</span>
+    <span class="hljs-tag">&lt;<span class="hljs-name">link</span> <span class="hljs-attr">rel</span>=<span class="hljs-string">"redirect_uri"</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"/redirect"</span>&gt;</span>
+  <span class="hljs-tag">&lt;/<span class="hljs-name">head</span>&gt;</span>
+  ...
+<span class="hljs-tag">&lt;/<span class="hljs-name">html</span>&gt;</span></span></span></code></pre>
+      </div>
+        </section>
+
+      </section>
+
+    </section>
+
+    <section class="normative" id="authorization">
+      <h2 id="x5-authorization"><bdi class="secno">5. </bdi>Authorization<a class="self-link" aria-label="§" href="#authorization"></a></h2>
+
+      <p id="authorization-p-1">This section describes how to authenticate users and optionally obtain an access token using the OAuth 2.0 Authorization Code Flow with IndieAuth.</p>
+
+
+      <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 1059 765" style="width: 100%; height: auto;"><defs></defs><g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g><rect fill="white" stroke="none" x="0" y="0" width="1059" height="765"></rect></g><g><text fill="black" stroke="none" font-family="Arial" font-size="16.5pt" font-style="normal" font-weight="normal" text-decoration="normal" x="339.62352710203197" y="24.50280495" text-anchor="start" dominant-baseline="alphabetic">IndieAuth Authorization Flow Diagram</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 52.77388084866407 95.887643371 L 52.77388084866407 765.6309786710002" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="12.565541,5.445067766666667"></path><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 345.71152869488805 95.887643371 L 345.71152869488805 765.6309786710002" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="12.565541,5.445067766666667"></path><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 586.4516209991198 95.887643371 L 586.4516209991198 765.6309786710002" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="12.565541,5.445067766666667"></path><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 807.065021948599 95.887643371 L 807.065021948599 765.6309786710002" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="12.565541,5.445067766666667"></path><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 983.1388990634076 95.887643371 L 983.1388990634076 765.6309786710002" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="12.565541,5.445067766666667"></path></g><g><path fill="none" stroke="none"></path><g><path fill="white" stroke="black" paint-order="fill stroke markers" d=" M 8.167601650000002 51.782594461 L 97.38016004732813 51.782594461 L 97.38016004732813 95.887643371 L 8.167601650000002 95.887643371 L 8.167601650000002 51.782594461 Z" stroke-miterlimit="10" stroke-width="2.613632528" stroke-dasharray=""></path></g><g><g></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="25.891297230500008" y="79.55244007099999" text-anchor="start" dominant-baseline="alphabetic">Browser</text></g><path fill="none" stroke="none"></path><g><path fill="white" stroke="black" paint-order="fill stroke markers" d=" M 309.2476902921224 51.782594461 L 382.17536709765363 51.782594461 L 382.17536709765363 95.887643371 L 309.2476902921224 95.887643371 L 309.2476902921224 51.782594461 Z" stroke-miterlimit="10" stroke-width="2.613632528" stroke-dasharray=""></path></g><g><g></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="326.9713858726224" y="79.55244007099999" text-anchor="start" dominant-baseline="alphabetic">Client</text></g><path fill="none" stroke="none"></path><g><path fill="white" stroke="black" paint-order="fill stroke markers" d=" M 536.5518618810221 51.782594461 L 636.3513801172174 51.782594461 L 636.3513801172174 95.887643371 L 536.5518618810221 95.887643371 L 536.5518618810221 51.782594461 Z" stroke-miterlimit="10" stroke-width="2.613632528" stroke-dasharray=""></path></g><g><g></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="554.2755574615221" y="79.55244007099999" text-anchor="start" dominant-baseline="alphabetic">User URL</text></g><path fill="none" stroke="none"></path><g><path fill="white" stroke="black" paint-order="fill stroke markers" d=" M 715.5833078744466 51.782594461 L 898.5467360227514 51.782594461 L 898.5467360227514 95.887643371 L 715.5833078744466 95.887643371 L 715.5833078744466 51.782594461 Z" stroke-miterlimit="10" stroke-width="2.613632528" stroke-dasharray=""></path></g><g><g></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="733.3070034549467" y="79.55244007099999" text-anchor="start" dominant-baseline="alphabetic">Authorization Endpoint</text></g><path fill="none" stroke="none"></path><g><path fill="white" stroke="black" paint-order="fill stroke markers" d=" M 914.8819393227514 51.782594461 L 1051.395858804064 51.782594461 L 1051.395858804064 95.887643371 L 914.8819393227514 95.887643371 L 914.8819393227514 51.782594461 Z" stroke-miterlimit="10" stroke-width="2.613632528" stroke-dasharray=""></path></g><g><g></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="932.6056349032514" y="79.55244007099999" text-anchor="start" dominant-baseline="alphabetic">Token Endpoint</text></g></g><g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="103.91131313175653" y="128.558049971" width="190.66278328003906" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="106.36159362675653" y="143.259732941" text-anchor="start" dominant-baseline="alphabetic">User enters their profile URL</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 52.77388084866407 149.793814261 L 345.71152869488805 149.793814261" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray=""></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 332.09885927822137 142.98747955266666 L 345.71152869488805 149.793814261 L 332.09885927822137 156.60014896933333 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="365.0415192665547" y="174.296619211" width="202.08011116089844" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="365.0415192665547" y="190.631822511" width="193.45447029175781" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="365.0415192665547" y="206.96702581099998" width="169.0593744665625" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="367.4917997615547" y="188.99830218099999" text-anchor="start" dominant-baseline="alphabetic">Client fetches URL to discover</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="367.4917997615547" y="205.33350548099997" text-anchor="start" dominant-baseline="alphabetic"></text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="bold" text-decoration="normal" x="367.4917997615547" y="205.33350548099997" text-anchor="start" dominant-baseline="alphabetic">rel=authorization_endpoint</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="556.0457090633125" y="205.33350548099997" text-anchor="start" dominant-baseline="alphabetic"></text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="367.4917997615547" y="221.66870878099996" text-anchor="start" dominant-baseline="alphabetic">and </text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="bold" text-decoration="normal" x="396.0243620174141" y="221.66870878099996" text-anchor="start" dominant-baseline="alphabetic">rel=token_endpoint</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="531.6506132381172" y="221.66870878099996" text-anchor="start" dominant-baseline="alphabetic"></text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 345.71152869488805 228.202790101 L 586.4516209991198 228.202790101" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray=""></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 572.8389515824531 221.39645539266667 L 586.4516209991198 228.202790101 L 572.8389515824531 235.00912480933334 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="72.10387142033075" y="252.705595051" width="254.27766670289063" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="72.10387142033075" y="269.040798351" width="243.54748786988281" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="74.55415191533075" y="267.40727802099997" text-anchor="start" dominant-baseline="alphabetic">Client builds authorization request and</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="74.55415191533075" y="283.74248132099996" text-anchor="start" dominant-baseline="alphabetic">redirects to </text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="bold" text-decoration="normal" x="151.13964691044794" y="283.74248132099996" text-anchor="start" dominant-baseline="alphabetic">authorization_endpoint</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="313.20107879521356" y="283.74248132099996" text-anchor="start" dominant-baseline="alphabetic"></text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 345.71152869488805 290.276562641 L 52.77388084866407 290.276562641" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="6.53408132"></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 66.38655026533074 283.47022793266666 L 52.77388084866407 290.276562641 L 66.38655026533074 297.08289734933334 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="188.6969083303894" y="314.779367591" width="482.44508613648435" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="191.14718882538938" y="329.48105056099996" text-anchor="start" dominant-baseline="alphabetic">User visits their authorization endpoint and sees the authorization request</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 52.77388084866407 336.015131881 L 807.065021948599 336.015131881" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray=""></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 793.4523525319323 329.20879717266666 L 807.065021948599 336.015131881 L 793.4523525319323 342.82146658933334 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="375.10486494393103" y="360.517936831" width="402.566820755625" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="377.55514543893105" y="375.21961980099996" text-anchor="start" dominant-baseline="alphabetic">Authorization endpoint fetches client information (name, icon)</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 807.065021948599 381.753701121 L 345.71152869488805 381.753701121" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray=""></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 359.3241981115547 374.94736641266667 L 345.71152869488805 381.753701121 L 359.3241981115547 388.56003582933334 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="217.22231421417845" y="406.256506071" width="305.6162592321875" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="217.22231421417845" y="422.591709371" width="425.3942743689062" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="219.67259470917844" y="420.95818904099997" text-anchor="start" dominant-baseline="alphabetic">User authenticates, and approves the request.</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="219.67259470917844" y="437.29339234099996" text-anchor="start" dominant-baseline="alphabetic">Authorization endpoint issues code, builds redirect back to client.</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 807.065021948599 443.827473661 L 52.77388084866407 443.827473661" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="6.53408132"></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 66.38655026533074 437.02113895266666 L 52.77388084866407 443.827473661 L 66.38655026533074 450.63380836933334 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="87.22556789249872" y="468.330278611" width="202.41652168335938" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="87.22556789249872" y="484.665481911" width="224.0342737585547" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="89.67584838749872" y="483.03196158099996" text-anchor="start" dominant-baseline="alphabetic">User's browser is redirected to</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="89.67584838749872" y="499.36716488099995" text-anchor="start" dominant-baseline="alphabetic">client with an </text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="bold" text-decoration="normal" x="178.49469604374872" y="499.36716488099995" text-anchor="start" dominant-baseline="alphabetic">authorization code</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="308.8095611560534" y="499.36716488099995" text-anchor="start" dominant-baseline="alphabetic"></text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 52.77388084866407 505.901246201 L 345.71152869488805 505.901246201" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray=""></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 332.09885927822137 499.09491149266665 L 345.71152869488805 505.901246201 L 332.09885927822137 512.7075809093333 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="520.9871709329759" y="530.4040511509999" width="286.8760858923437" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="520.9871709329759" y="546.7392544509999" width="270.5339228064062" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="520.9871709329759" y="563.0744577509998" width="145.91697944703125" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="523.4374514279759" y="545.1057341209998" text-anchor="start" dominant-baseline="alphabetic">Client exchanges authorization code for an </text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="523.4374514279759" y="561.4409374209998" text-anchor="start" dominant-baseline="alphabetic">access token by making a POST request</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="523.4374514279759" y="577.7761407209998" text-anchor="start" dominant-baseline="alphabetic">to the token_endpoint</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 345.71152869488805 584.3102220409999 L 983.1388990634076 584.3102220409999" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray=""></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 969.526229646741 577.5038873326665 L 983.1388990634076 584.3102220409999 L 969.526229646741 591.1165567493332 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="505.9299199564134" y="608.813026991" width="268.9448114782812" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="505.9299199564134" y="625.148230291" width="316.9905878454687" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="508.38020045141343" y="623.514709961" text-anchor="start" dominant-baseline="alphabetic">Token endpoint verifies code and returns</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="508.38020045141343" y="639.849913261" text-anchor="start" dominant-baseline="alphabetic">canonical user profile URL with an access token</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 983.1388990634076 646.383994581 L 345.71152869488805 646.383994581" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="6.53408132"></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 359.3241981115547 639.5776598726667 L 345.71152869488805 646.383994581 L 359.3241981115547 653.1903292893334 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="106.74953182072137" y="670.8867995310002" width="184.98634590210938" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="106.74953182072137" y="687.2220028310002" width="164.6427942663672" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="109.19981231572137" y="685.5884825010002" text-anchor="start" dominant-baseline="alphabetic">Client initiates login session</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="109.19981231572137" y="701.9236858010001" text-anchor="start" dominant-baseline="alphabetic">and the user is logged in</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 345.71152869488805 708.4577671210002 L 52.77388084866407 708.4577671210002" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="6.53408132"></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 66.38655026533074 701.6514324126668 L 52.77388084866407 708.4577671210002 L 66.38655026533074 715.2641018293335 Z"></path></g></g><g></g><g></g><g></g><g></g><g></g></g></svg>
+      <ul>
+        <li id="authorization-li-1">The End-User enters their profile URL in the login form of the client and clicks "Sign in"</li>
+        <li id="authorization-li-2">The client discovers the End-User's authorization endpoint and token endpoint by fetching the profile URL and looking for the <code>rel=authorization_endpoint</code> and <code>rel=token_endpoint</code> values</li>
+        <li id="authorization-li-3">The client builds the authorization request including its client identifier, requested scope, local state, and a redirect URI, and redirects the browser to the authorization endpoint</li>
+        <li id="authorization-li-4">The authorization endpoint fetches the client information from the client identifier URL in order to have an application name and icon to display to the user</li>
+        <li id="authorization-li-5">The authorization endpoint verifies the End-User, e.g. by logging in, and establishes whether the End-User grants or denies the client's request</li>
+        <li id="authorization-li-6">The authorization endpoint generates an authorization code and redirects the browser back to the client, including an authorization code in the URL</li>
+        <li id="authorization-li-7">The client exchanges the authorization code for an access token by making a POST request to the token endpoint. The token endpoint validates the authorization code, and responds with the End-User's canonical profile URL and an access token</li>
+      </ul>
+
+      <p id="authorization-p-2">Note: If the client is only trying to learn who the user is and does not need an access token, the client exchanges the authorization code for the user profile information at the Authorization Endpoint instead.</p>
+
+      <section id="discovery-0">
+        <h3 id="x5-1-discovery"><bdi class="secno">5.1 </bdi>Discovery<a class="self-link" aria-label="§" href="#discovery-0"></a></h3>
+
+        <p id="discovery-0-p-1">After obtaining the End-User's profile URL, the client fetches the URL and looks for the <code>authorization_endpoint</code> and <code>token_endpoint</code> rel values in the HTTP <code>Link</code> headers and HTML <code>&lt;link&gt;</code> tags as described in <a href="#discovery-by-clients" class="sec-ref">§&nbsp;<bdi class="secno">4.1 </bdi>Discovery by Clients</a>.</p>
+
+        <div class="example" id="example-4">
+        <div class="marker">
+    <a class="self-link" href="#example-4">Example<bdi> 4</bdi></a>
+  </div> <pre class="nohighlight">Link: &lt;https://example.org/auth&gt;; rel="authorization_endpoint"
+Link: &lt;https://example.org/token&gt;; rel="token_endpoint"
+
+&lt;link rel="authorization_endpoint" href="https://example.org/auth"&gt;
+&lt;link rel="token_endpoint" href="https://example.org/token"&gt;</pre>
+      </div>
+      </section>
+
+      <section id="authorization-request">
+        <h3 id="x5-2-authorization-request"><bdi class="secno">5.2 </bdi>Authorization Request<a class="self-link" aria-label="§" href="#authorization-request"></a></h3>
+
+          <p id="authorization-request-p-1">The client builds the authorization request URL by starting with the discovered <code>authorization_endpoint</code> URL and adding the following parameters to the query component:</p>
+
+          <ul>
+            <li id="authorization-request-li-1"><code>response_type=code</code> - Indicates to the authorization server that an authorization code should be returned as the response</li>
+            <li id="authorization-request-li-2"><code>me</code> - The profile URL that the user entered</li>
+            <li id="authorization-request-li-3"><code>client_id</code> - The client URL</li>
+            <li id="authorization-request-li-4"><code>redirect_uri</code> - The redirect URL indicating where the user should be redirected to after approving the request</li>
+            <li id="authorization-request-li-5"><code>state</code> - A parameter set by the client which will be included when the user is redirected back to the client. This is used to prevent CSRF attacks. The authorization server <em class="rfc2119" title="MUST">MUST</em> return the unmodified state value back to the client.</li>
+            <li id="authorization-request-li-6"><code>scope</code> - (optional) A space-separated list of scopes the client is requesting, e.g. "profile", or "profile create". If the client omits this value, the authorization server <em class="rfc2119" title="MUST NOT">MUST NOT</em> issue an access token for this authorization code. Only the user's URL may be returned without any scope requested.</li>
+          </ul>
+
+          <div class="example" id="example-5">
+        <div class="marker">
+    <a class="self-link" href="#example-5">Example<bdi> 5</bdi></a>
+  </div> <pre class="nohighlight">https://example.org/auth?me=https://user.example.net/&amp;
+                          redirect_uri=https://app.example.com/redirect&amp;
+                          client_id=https://app.example.com/&amp;
+                          state=1234567890&amp;
+                          scope=profile+create+update+delete&amp;
+                          response_type=code</pre>
+      </div>
+
+          <p id="authorization-request-p-2">The authorization endpoint <em class="rfc2119" title="SHOULD">SHOULD</em> fetch the <code>client_id</code> URL to retrieve application information and the client's registered redirect URLs, see <a href="#client-information-discovery">Client Information Discovery</a> for more information.</p>
+
+          <p id="authorization-request-p-3">If the URL scheme, host or port of the <code>redirect_uri</code> in the request do not match that of the <code>client_id</code>, then the authorization endpoint <em class="rfc2119" title="SHOULD">SHOULD</em> verify that the requested <code>redirect_uri</code> matches one of the <a href="#redirect-url">redirect URLs</a> published by the client, and <em class="rfc2119" title="SHOULD">SHOULD</em> block the request from proceeding if not.</p>
+
+          <p id="authorization-request-p-4">It is up to the authorization endpoint how to authenticate the user. This step is out of scope of OAuth 2.0, and is highly dependent on the particular implementation. Some authorization servers use typical username/password authentication, and others use alternative forms of authentication such as [<cite><a class="bibref" data-link-type="biblio" href="#bib-relmeauth" title="RelMeAuth">RelMeAuth</a></cite>].</p>
+
+          <p id="authorization-request-p-5">Once the user is authenticated, the authorization endpoint presents the authorization request to the user. The prompt <em class="rfc2119" title="MUST">MUST</em> indicate which application the user is signing in to, and <em class="rfc2119" title="SHOULD">SHOULD</em> provide as much detail as possible about the request, such as information about the requested scopes.</p>
+
+
+        <section id="authorization-response">
+          <h4 id="x5-2-1-authorization-response"><bdi class="secno">5.2.1 </bdi>Authorization Response<a class="self-link" aria-label="§" href="#authorization-response"></a></h4>
+
+          <p id="authorization-response-p-1">If the user approves the request, the authorization endpoint generates an authorization code and builds the redirect back to the client.</p>
+
+          <p id="authorization-response-p-2">The redirect is built by starting with the <code>redirect_uri</code> in the request, and adding the following parameters to the query component of the redirect URL:</p>
+
+          <ul>
+            <li id="authorization-response-li-1"><code>code</code> - The authorization code generated by the authorization endpoint. The code <em class="rfc2119" title="MUST">MUST</em> expire shortly after it is issued to mitigate the risk of leaks, and <em class="rfc2119" title="MUST">MUST</em> be valid for only one use. A maximum lifetime of 10 minutes is recommended. See <a href="https://tools.ietf.org/html/rfc6749#section-4.1.2">OAuth 2.0 Section 4.1.2</a> for additional requirements on the authorization code.</li>
+            <li id="authorization-response-li-2"><code>state</code> - The state parameter <em class="rfc2119" title="MUST">MUST</em> be set to the exact value that the client set in the request.</li>
+          </ul>
+
+          <div class="example" id="example-6">
+        <div class="marker">
+    <a class="self-link" href="#example-6">Example<bdi> 6</bdi></a>
+  </div> <pre class="nohighlight">HTTP/1.1 302 Found
+  Location: https://app.example.com/redirect?code=xxxxxxxx
+                                             state=1234567890</pre>
+      </div>
+
+          <p id="authorization-response-p-3">Upon the redirect back to the client, the client <em class="rfc2119" title="MUST">MUST</em> verify that the state parameter in the request is valid and matches the state parameter that it initially created, in order to prevent CSRF attacks. The state value can also store session information to enable development of clients that cannot store data themselves.</p>
+
+          <p id="authorization-response-p-4">See OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>] <a href="https://tools.ietf.org/html/rfc6749#section-4.1.2.1">Section 4.1.2.1</a> for how to indicate errors and other failures to the user and client.</p>
+        </section>
+      </section>
+
+      <section id="redeeming-the-authorization-code">
+        <h3 id="x5-3-redeeming-the-authorization-code"><bdi class="secno">5.3 </bdi>Redeeming the Authorization Code<a class="self-link" aria-label="§" href="#redeeming-the-authorization-code"></a></h3>
+
+        <p id="redeeming-the-authorization-code-p-1">Once the client has obtained an authorization code, it can redeem it for an access token or the user's final profile URL.</p>
+
+        <section id="request">
+          <h4 id="x5-3-1-request"><bdi class="secno">5.3.1 </bdi>Request<a class="self-link" aria-label="§" href="#request"></a></h4>
+
+          <p id="request-p-1">If the client only needs to know the user who logged in and does not need to make requests to resource servers with an access token, the client exchanges the authorization code for the user's profile URL at the <b>authorization endpoint</b>.</p>
+
+          <p id="request-p-2">If the client needs an access token in order to make requests to a resource server such as a [<cite><a class="bibref" data-link-type="biblio" href="#bib-micropub" title="Micropub">Micropub</a></cite>] endpoint, it can exchange the authorization code for an access token and the user's profile URL at the <b>token endpoint</b>.</p>
+
+          <p id="request-p-3">After the client validates the state parameter, the client makes a POST request to the token endpoint or authorization endpoint to exchange the authorization code for the final user profile URL and/or access token. The POST request contains the following parameters:</p>
+
+          <ul>
+            <li id="request-li-1"><code>grant_type=authorization_code</code></li>
+            <li id="request-li-2"><code>code</code> - The authorization code received from the authorization endpoint in the redirect</li>
+            <li id="request-li-3"><code>client_id</code> - The client's URL, which <em class="rfc2119" title="MUST">MUST</em> match the client_id used in the authentication request.</li>
+            <li id="request-li-4"><code>redirect_uri</code> - The client's redirect URL, which <em class="rfc2119" title="MUST">MUST</em> match the initial authentication request.</li>
+          </ul>
+
+          <b>Example request to authorization endpoint</b>
+          <div class="example" id="example-7">
+        <div class="marker">
+    <a class="self-link" href="#example-7">Example<bdi> 7</bdi></a>
+  </div> <pre class="nohighlight">POST https://example.org/auth
+  Content-type: application/x-www-form-urlencoded
+  Accept: application/json
+
+  grant_type=authorization_code
+  &amp;code=xxxxxxxx
+  &amp;client_id=https://app.example.com/
+  &amp;redirect_uri=https://app.example.com/redirect</pre>
+      </div>
+
+          <b>Example request to token endpoint</b>
+          <div class="example" id="example-8">
+        <div class="marker">
+    <a class="self-link" href="#example-8">Example<bdi> 8</bdi></a>
+  </div> <pre class="nohighlight">POST https://example.org/token
+Content-type: application/x-www-form-urlencoded
+Accept: application/json
+
+grant_type=authorization_code
+&amp;code=xxxxxxxx
+&amp;client_id=https://app.example.com/
+&amp;redirect_uri=https://app.example.com/redirect</pre>
+      </div>
+        </section>
+
+        <section id="profile-url-response">
+          <h4 id="x5-3-2-profile-url-response"><bdi class="secno">5.3.2 </bdi>Profile URL Response<a class="self-link" aria-label="§" href="#profile-url-response"></a></h4>
+
+          <p id="profile-url-response-p-1">The authorization endpoint verifies that the authorization code is valid, has not yet been used, and that it was issued for the matching <code>client_id</code> and <code>redirect_uri</code>. If the request is valid, then the endpoint responds with a JSON [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7159" title="The JavaScript Object Notation (JSON) Data Interchange Format">RFC7159</a></cite>] object containing one property, <code>me</code>, with the canonical user profile URL for the user who signed in.</p>
+
+          <div class="example" id="example-9">
+        <div class="marker">
+    <a class="self-link" href="#example-9">Example<bdi> 9</bdi></a>
+  </div> <pre class="nohighlight">HTTP/1.1 200 OK
+  Content-Type: application/json
+
+  {
+    "me": "https://user.example.net/"
+  }</pre>
+      </div>
+
+          <p id="profile-url-response-p-2">The resulting profile URL <em class="rfc2119" title="MAY">MAY</em> be different from what the user initially entered, but <em class="rfc2119" title="MUST">MUST</em> be on the same domain. This gives the authorization endpoint an opportunity to canonicalize the user's URL, such as correcting <code>http</code> to <code>https</code>, or adding a path if required. See <a href="#redirect-examples">Redirect Examples</a> for an example of how a service can allow a user to enter a URL on a domain different from their resulting <code>me</code> profile URL.</p>
+
+          <p id="profile-url-response-p-3">See OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>] <a href="https://tools.ietf.org/html/rfc6749#section-5.2">Section 5.2</a> for how to respond in the case of errors or other failures.</p>
+        </section>
+
+        <section id="access-token-response">
+          <h4 id="x5-3-3-access-token-response"><bdi class="secno">5.3.3 </bdi>Access Token Response<a class="self-link" aria-label="§" href="#access-token-response"></a></h4>
+
+          <p id="access-token-response-p-1">The token endpoint needs to verify that the authorization code is valid, and that it was issued for the matching <code>client_id</code> and <code>redirect_uri</code>, and contains at least one <code>scope</code>. If the authorization code was issued with no <code>scope</code>, the token endpoint <em class="rfc2119" title="MUST NOT">MUST NOT</em> issue an access token, as empty scopes are invalid per Section 3.3 of OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>].</p>
+
+          <p id="access-token-response-p-2">The specifics of how the token endpoint verifies the authorization code are out of scope of this document, as typically the authorization endpoint and token endpoint are part of the same system and can share storage or other private communication mechanism.</p>
+
+          <p id="access-token-response-p-3">If the request is valid, then the token endpoint can generate an access token and return the appropriate response. The token response is a JSON [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7159" title="The JavaScript Object Notation (JSON) Data Interchange Format">RFC7159</a></cite>] object containing the OAuth 2.0 Bearer Token [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6750" title="The OAuth 2.0 Authorization Framework: Bearer Token Usage">RFC6750</a></cite>], as well as a property <code>me</code>, containing the canonical user profile URL for the user this access token corresponds to. For example:</p>
+
+          <div class="example" id="example-10">
+        <div class="marker">
+    <a class="self-link" href="#example-10">Example<bdi> 10</bdi></a>
+  </div> <pre class="nohighlight">HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+  "access_token": "XXXXXX",
+  "token_type": "Bearer",
+  "scope": "create update delete",
+  "me": "https://user.example.net/"
+}</pre>
+      </div>
+
+          <p id="access-token-response-p-4">The resulting profile URL <em class="rfc2119" title="MAY">MAY</em> be different from what the user initially entered, but <em class="rfc2119" title="MUST">MUST</em> be on the same domain. This provides the opportunity to canonicalize the user's URL, such as correcting <code>http</code> to <code>https</code>, or adding a path if required. See <a href="#redirect-examples">Redirect Examples</a> for an example of how a service can allow a user to enter a URL on a domain different from their resulting <code>me</code> profile URL.</p>
+
+          <p id="access-token-response-p-5">See OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>] <a href="https://tools.ietf.org/html/rfc6749#section-5.2">Section 5.2</a> for how to respond in the case of errors or other failures.</p>
+        </section>
+      </section>
+
+    </section>
+
+    <section class="normative" id="access-token-verification">
+      <h2 id="x6-access-token-verification"><bdi class="secno">6. </bdi>Access Token Verification<a class="self-link" aria-label="§" href="#access-token-verification"></a></h2>
+
+      <p id="access-token-verification-p-1">In OAuth 2.0, access tokens are opaque to clients, so clients do not need to know anything about the contents or structure of the token itself. Additionally, endpoints that clients make requests to, such as [<cite><a class="bibref" data-link-type="biblio" href="#bib-micropub" title="Micropub">Micropub</a></cite>] endpoints, may not even understand how to interpret tokens if they were issued by a standalone token endpoint. If the token endpoint is not tightly integrated with the resource server the client is interacting with, then the resource server needs a way to verify access tokens that it receives from clients. If the token endpoint and Micropub endpoint are tightly coupled, then they can of course use an internal mechanism to verify access tokens.</p>
+
+      <p id="access-token-verification-p-2">Token endpoints that intend to interoperate with other endpoints <em class="rfc2119" title="MUST">MUST</em> use the mechanism described below to allow resource servers such as Micropub endpoints to verify access tokens.</p>
+
+      <section id="access-token-verification-request">
+        <h3 id="x6-1-access-token-verification-request"><bdi class="secno">6.1 </bdi>Access Token Verification Request<a class="self-link" aria-label="§" href="#access-token-verification-request"></a></h3>
+
+        <p id="access-token-verification-request-p-1">If a resource server needs to verify that an access token is valid, it <em class="rfc2119" title="MUST">MUST</em> make a GET request to the token endpoint containing an HTTP <code>Authorization</code> header with the Bearer Token according to [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6750" title="The OAuth 2.0 Authorization Framework: Bearer Token Usage">RFC6750</a></cite>]. Note that the request to the endpoint will not contain any user-identifying information, so the resource server (e.g. Micropub endpoint) will need to know via out-of-band methods which token endpoint is in use.</p>
+
+        <div class="example" id="example-11">
+        <div class="marker">
+    <a class="self-link" href="#example-11">Example<bdi> 11</bdi></a>
+  </div> <pre class="nohighlight">GET https://example.org/token
+  Authorization: Bearer xxxxxxxx
+  Accept: application/json</pre>
+      </div>
+      </section>
+
+      <section id="access-token-verification-response">
+        <h3 id="x6-2-access-token-verification-response"><bdi class="secno">6.2 </bdi>Access Token Verification Response<a class="self-link" aria-label="§" href="#access-token-verification-response"></a></h3>
+
+        <p id="access-token-verification-response-p-1">The token endpoint verifies the access token using (how this verification is done is up to the implementation), and returns information about the token:</p>
+
+        <ul>
+          <li id="access-token-verification-response-li-1"><code>me</code> - The profile URL of the user corresponding to this token</li>
+          <li id="access-token-verification-response-li-2"><code>client_id</code> - The client ID associated with this token</li>
+          <li id="access-token-verification-response-li-3"><code>scope</code> - A space-separated list of scopes associated with this token</li>
+        </ul>
+
+        <div class="example" id="example-12">
+        <div class="marker">
+    <a class="self-link" href="#example-12">Example<bdi> 12</bdi></a>
+  </div> <pre class="nohighlight">HTTP/1.1 200 OK
+  Content-Type: application/json
+
+  {
+  "me": "https://user.example.net/",
+  "client_id": https://app.example.com/",
+  "scope": "create update delete"
+  }</pre>
+      </div>
+
+        <p id="access-token-verification-response-p-2">Specific implementations <em class="rfc2119" title="MAY">MAY</em> include additional parameters as top-level JSON properties. Clients <em class="rfc2119" title="SHOULD">SHOULD</em> ignore parameters they don't recognize.</p>
+
+        <p id="access-token-verification-response-p-3">If the token is not valid, the endpoint <em class="rfc2119" title="MUST">MUST</em> return an appropriate HTTP 400, 401 or 403 response. The response body is not significant.</p>
+      </section>
+    </section>
+
+    <section class="normative" id="token-revocation">
+      <h2 id="x7-token-revocation"><bdi class="secno">7. </bdi>Token Revocation<a class="self-link" aria-label="§" href="#token-revocation"></a></h2>
+
+      <p id="token-revocation-p-1">A client may wish to explicitly disable an access token that it has obtained, such as when the user signs out of the client. IndieAuth extends OAuth 2.0 Token Revocation [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7009" title="OAuth 2.0 Token Revocation">RFC7009</a></cite>] by defining the following:</p>
+
+      <ul>
+        <li id="token-revocation-li-1">The revocation endpoint is the same as the token endpoint.</li>
+        <li id="token-revocation-li-2">The revocation request includes an additional parameter, <code>action=revoke</code>.</li>
+      </ul>
+
+      <section id="token-revocation-request">
+        <h3 id="x7-1-token-revocation-request"><bdi class="secno">7.1 </bdi>Token Revocation Request<a class="self-link" aria-label="§" href="#token-revocation-request"></a></h3>
+
+        <p id="token-revocation-request-p-1">An example revocation request is below.</p>
+
+        <div class="example" id="example-13">
+        <div class="marker">
+    <a class="self-link" href="#example-13">Example<bdi> 13</bdi></a>
+  </div> <pre class="nohighlight">POST https://example.org/token HTTP/1.1
+  Content-Type: application/x-www-form-urlencoded
+  Accept: application/json
+
+  action=revoke
+  &amp;token=xxxxxxxx</pre>
+      </div>
+
+        <p id="token-revocation-request-p-2">As described in [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7009" title="OAuth 2.0 Token Revocation">RFC7009</a></cite>], the revocation endpoint responds with HTTP 200 for both the case where the token was successfully revoked, or if the submitted token was invalid.</p>
+      </section>
+    </section>
+
+
+    <section id="security-considerations">
+      <h2 id="x8-security-considerations"><bdi class="secno">8. </bdi>Security Considerations<a class="self-link" aria-label="§" href="#security-considerations"></a></h2>
+
+      <p id="security-considerations-p-1">In addition to the security considerations in OAuth 2.0 Core [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>] and OAuth 2.0 Threat Model and Security Considerations [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6819" title="OAuth 2.0 Threat Model and Security Considerations">RFC6819</a></cite>], the additional considerations apply.</p>
+
+      <section id="differing-user-profile-urls">
+        <h3 id="x8-1-differing-user-profile-urls"><bdi class="secno">8.1 </bdi>Differing User Profile URLs<a class="self-link" aria-label="§" href="#differing-user-profile-urls"></a></h3>
+
+        <p id="differing-user-profile-urls-p-1">Clients will initially prompt the user for their profile URL in order to discover the necessary endpoints to perform authentication or authorization. However, there may be slight differences between the URL that the user initially enters vs what the system considers the user's canonical profile URL.</p>
+
+        <p id="differing-user-profile-urls-p-2">For example, a user might enter <code>user.example.net</code> in a login interface, and the client may assume a default scheme of <code>http</code>, providing an initial profile URL of <code>http://user.example.net</code>. Once the authentication or authorization flow is complete, the response in the <code>me</code> parameter might be the canonical <code>https://user.example.net/</code>. In some cases, user profile URLs have a full path component such as <code>https://example.net/username</code>, but users may enter just <code>example.net</code> in the login interface.</p>
+
+        <p id="differing-user-profile-urls-p-3">Clients <em class="rfc2119" title="MUST">MUST</em> use the resulting <code>me</code> value from the <a href="#profile-url-response">profile URL response</a> or <a href="#access-token-response">access token response</a> rather than assume the initially-entered URL is correct, with the following condition:</p>
+
+        <ul>
+          <li id="differing-user-profile-urls-li-1">The resulting profile URL <em class="rfc2119" title="MUST">MUST</em> have a matching domain of the initially-entered profile URL.</li>
+        </ul>
+
+        <p id="differing-user-profile-urls-p-4">This ensures that an authorization endpoint is not able to issue valid responses for arbitrary profile URLs.</p>
+      </section>
+
+      <section id="preventing-phishing-and-redirect-attacks">
+        <h3 id="x8-2-preventing-phishing-and-redirect-attacks"><bdi class="secno">8.2 </bdi>Preventing Phishing and Redirect Attacks<a class="self-link" aria-label="§" href="#preventing-phishing-and-redirect-attacks"></a></h3>
+
+        <p id="preventing-phishing-and-redirect-attacks-p-1">Authorization servers <em class="rfc2119" title="SHOULD">SHOULD</em> fetch the <code>client_id</code> provided in the authentication or authorization request in order to provide users with additional information about the request, such as the application name and logo. If the server does not fetch the client information, then it <em class="rfc2119" title="SHOULD">SHOULD</em> take additional measures to ensure the user is provided with as much information as possible about the request.</p>
+
+        <p id="preventing-phishing-and-redirect-attacks-p-2">The authorization server <em class="rfc2119" title="SHOULD">SHOULD</em> display the full <code>client_id</code> on the authorization interface, in addition to displaying the fetched application information if any. Displaying the <code>client_id</code> helps users know that they are authorizing the expected application.</p>
+
+        <p id="preventing-phishing-and-redirect-attacks-p-3">Since all IndieAuth clients are public clients, and no client authentication is used, the only measure available to protect against some attacks described in [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6819" title="OAuth 2.0 Threat Model and Security Considerations">RFC6819</a></cite>] is strong verification of the client's <code>redirect_uri</code>. If the <code>redirect_uri</code> scheme, host or port differ from that of the <code>client_id</code>, then the authorization server <em class="rfc2119" title="MUST">MUST</em> either verify the redirect URL as described in <a href="#redirect-url">Redirect URL</a>, or display the redirect URL to the user so they can inspect it manually.</p>
+      </section>
+
+    </section>
+
+    <section id="iana-considerations">
+      <h2 id="x9-iana-considerations"><bdi class="secno">9. </bdi>IANA Considerations<a class="self-link" aria-label="§" href="#iana-considerations"></a></h2>
+
+      <p id="iana-considerations-p-1">The link relation types below are documented to be registered by IANA per Section 6.2.1 of [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc8288" title="Web Linking">RFC8288</a></cite>]:</p>
+
+      <dl>
+        <dt>Relation Name:</dt>
+        <dd>authorization_endpoint</dd>
+
+        <dt>Description:</dt>
+        <dd>Used for discovery of the OAuth 2.0 authorization endpoint given an IndieAuth profile URL.</dd>
+
+        <dt>Reference:</dt>
+        <dd><a href="https://indieauth.spec.indieweb.org/">IndieAuth Specification (https://indieauth.spec.indieweb.org/)</a></dd>
+      </dl>
+
+      <dl>
+        <dt>Relation Name:</dt>
+        <dd>token_endpoint</dd>
+
+        <dt>Description:</dt>
+        <dd>Used for discovery of the OAuth 2.0 token endpoint given an IndieAuth profile URL.</dd>
+
+        <dt>Reference:</dt>
+        <dd><a href="https://indieauth.spec.indieweb.org/">IndieAuth Specification (https://indieauth.spec.indieweb.org/)</a></dd>
+      </dl>
+
+      <dl>
+        <dt>Relation Name:</dt>
+        <dd>redirect_uri</dd>
+
+        <dt>Description:</dt>
+        <dd>Used for discovery of the OAuth 2.0 redirect URI given an IndieAuth client ID.</dd>
+
+        <dt>Reference:</dt>
+        <dd><a href="https://indieauth.spec.indieweb.org/">IndieAuth Specification (https://indieauth.spec.indieweb.org/)</a></dd>
+      </dl>
+    </section>
+
+    
+
+    <section class="appendix informative" id="resources">
+      <h2 id="a-resources"><bdi class="secno">A. </bdi>Resources<a class="self-link" aria-label="§" href="#resources"></a></h2><p id="resources-p-1"><em>This section is non-normative.</em></p>
+
+      <p id="resources-p-2">
+        </p><ul>
+          
+          <li id="resources-li-1"><a href="https://indieweb.org/Category:IndieAuth">More IndieAuth resources</a></li>
+          <li id="resources-li-2"><a href="https://indieweb.org/obtaining-an-access-token">Implementation guide for obtaining an access token using IndieAuth</a></li>
+          <li id="resources-li-3"><a href="https://indieweb.org/indieauth-for-login">Implementation guide for authenticating users without obtaining an access token</a></li>
+        </ul>
+      <p id="resources-p-3"></p>
+
+      <section class="appendix informative" id="articles">
+        <h3 id="a-1-articles"><bdi class="secno">A.1 </bdi>Articles<a class="self-link" aria-label="§" href="#articles"></a></h3><p id="articles-p-1"><em>This section is non-normative.</em></p>
+
+        <p id="articles-p-2">You can find a list of <a href="https://indieweb.org/IndieAuth#Articles">articles about IndieAuth</a> on the IndieWeb wiki.</p>
+      </section>
+
+      <section class="appendix informative" id="implementations">
+        <h3 id="a-2-implementations"><bdi class="secno">A.2 </bdi>Implementations<a class="self-link" aria-label="§" href="#implementations"></a></h3><p id="implementations-p-1"><em>This section is non-normative.</em></p>
+
+        <p id="implementations-p-2">You can find a list of <a href="https://indieauth.net/implementations">IndieAuth implementations</a> on indieauth.net</p>
+      </section>
+
+    </section>
+
+    <section class="appendix" id="acknowledgements">
+      <h2 id="b-acknowledgements"><bdi class="secno">B. </bdi>Acknowledgements<a class="self-link" aria-label="§" href="#acknowledgements"></a></h2>
+
+      <p id="acknowledgements-p-1">The editor wishes to thank the <a href="https://indieweb.org/">IndieWeb</a>
+        community and other implementers for their support, encouragement and enthusiasm,
+        including but not limited to: Amy Guy, Barnaby Walters, Benjamin Roberts, Bret Comnes, Christian Weiske, Dmitri Shuralyov, François Kooman, Jeena Paradies, Martijn van der Ven, Sebastiaan Andeweg, Sven Knebel, and Tantek Çelik.</p>
+    </section>
+
+    <section class="appendix informative" id="change-log">
+      <h2 id="c-change-log"><bdi class="secno">C. </bdi>Change Log<a class="self-link" aria-label="§" href="#change-log"></a></h2><p id="change-log-p-1"><em>This section is non-normative.</em></p>
+
+      <section id="changes-from-25-january-2020-to-this-version">
+        <h3 id="c-1-changes-from-25-january-2020-to-this-version"><bdi class="secno">C.1 </bdi>Changes from 25 January 2020 to this version<a class="self-link" aria-label="§" href="#changes-from-25-january-2020-to-this-version"></a></h3>
+        <ul>
+          <li id="changes-from-25-january-2020-to-this-version-li-1">Drop the <code>me</code> parameter from the token endpoint request</li>
+          <li id="changes-from-25-january-2020-to-this-version-li-2">Consolidate the authentication and authorization sections into a single section, describing only the difference which is the response returned.</li>
+          <li id="changes-from-25-january-2020-to-this-version-li-3">Drop the section describing communication between token endpoints and authorization endpoints as it was underused</li>
+          <li id="changes-from-25-january-2020-to-this-version-li-4">Editorial changes and rearranging sections</li>
+        </ul>
+      </section>
+
+      <section id="changes-from-03-march-2019-to-25-january-2020">
+        <h3 id="c-2-changes-from-03-march-2019-to-25-january-2020"><bdi class="secno">C.2 </bdi>Changes from 03 March 2019 to 25 January 2020<a class="self-link" aria-label="§" href="#changes-from-03-march-2019-to-25-january-2020"></a></h3>
+        <ul>
+          <li id="changes-from-03-march-2019-to-25-january-2020-li-1">Use "authentication" and "authorization" more consistently in paragraphs and diagrams</li>
+          <li id="changes-from-03-march-2019-to-25-january-2020-li-2">Clarify that "Authorization Code Flow" is "OAuth 2.0 Authorization Code Flow"</li>
+          <li id="changes-from-03-march-2019-to-25-january-2020-li-3">Minor typo fixes</li>
+        </ul>
+      </section>
+
+      <section id="changes-from-07-july-2018-to-03-march-2019">
+        <h3 id="c-3-changes-from-07-july-2018-to-03-march-2019"><bdi class="secno">C.3 </bdi>Changes from 07 July 2018 to 03 March 2019<a class="self-link" aria-label="§" href="#changes-from-07-july-2018-to-03-march-2019"></a></h3>
+        <ul>
+          <li id="changes-from-07-july-2018-to-03-march-2019-li-1">Updates the spec header to note that it is a living standard</li>
+          <li id="changes-from-07-july-2018-to-03-march-2019-li-2">Minor typo fixes</li>
+        </ul>
+      </section>
+
+      <section id="changes-from-23-january-2018-to-07-july-2018">
+        <h3 id="c-4-changes-from-23-january-2018-to-07-july-2018"><bdi class="secno">C.4 </bdi>Changes from <a href="https://www.w3.org/TR/2018/NOTE-indieauth-20180123/">23 January 2018</a> to 07 July 2018<a class="self-link" aria-label="§" href="#changes-from-23-january-2018-to-07-july-2018"></a></h3>
+        <ul>
+          <li id="changes-from-23-january-2018-to-07-july-2018-li-1">Replaced references to RFC 5988 with RFC 8288 (<a href="https://github.com/indieweb/indieauth/commit/69d1d51e9541d8b76233793099b359de898a7154">diff</a>)</li>
+          <li id="changes-from-23-january-2018-to-07-july-2018-li-2">Added <code>Accept: application/json</code> header to example requests (<a href="https://github.com/indieweb/indieauth/commit/bfa39332ea3a38ff31efb7101db5b20f2ecbaff7">diff</a>)</li>
+        </ul>
+      </section>
+
+      <section id="changes-from-07-july-2018-to-03-march-2019-0">
+        <h3 id="c-5-changes-from-07-july-2018-to-03-march-2019"><bdi class="secno">C.5 </bdi>Changes from 07 July 2018 to 03 March 2019<a class="self-link" aria-label="§" href="#changes-from-07-july-2018-to-03-march-2019-0"></a></h3>
+
+        <ul>
+          <li id="changes-from-07-july-2018-to-03-march-2019-0-li-1">Added missing ampersand in HTTP redirect example (<a href="https://github.com/indieweb/indieauth/commit/ffaf128e01712ca38f3a7dd412749c2bf2f1c99a">diff</a>)</li>
+          <li id="changes-from-07-july-2018-to-03-march-2019-0-li-2">Fixed broken references section (<a href="https://github.com/indieweb/indieauth/commit/7f90282274d2703363265d0914b90ce7be8ac0b6">diff</a>)</li>
+          <li id="changes-from-07-july-2018-to-03-march-2019-0-li-3">Fixed internal link to redirect examples (<a href="https://github.com/indieweb/indieauth/commit/e3eef35c2d16e4a4a00767c8da4ac55ad02d7bc0">diff</a>)</li>
+        </ul>
+      </section>
+    </section>
+
+    <script>
+    // After text is selected (mouseup), find the closest element that has an ID
+    // attribute, and update the browser location bar to include that as the fragment
+    document.body.onmouseup = function(){
+      var selection;
+      if(selection=window.getSelection()) {
+        var range = selection.getRangeAt(0);
+        var el = range.startContainer;
+        while((el=el.parentElement) && !el.attributes["id"]);
+        var hash = el.attributes["id"].value;
+        if(history.replaceState) {
+          history.replaceState(null, null, "#"+hash);
+        }
+      }
+    };
+    </script>
+  
+
+<section id="references" class="appendix"><h2 id="d-references"><bdi class="secno">D. </bdi>References<a class="self-link" aria-label="§" href="#references"></a></h2><section id="normative-references">
+      <h3 id="d-1-normative-references"><bdi class="secno">D.1 </bdi>
+        Normative references
+      <a class="self-link" aria-label="§" href="#normative-references"></a></h3>
+    <dl class="bibliography">
+      <dt id="bib-fetch">[Fetch]</dt><dd><a href="https://fetch.spec.whatwg.org/"><cite>Fetch Standard</cite></a>. Anne van Kesteren.  WHATWG. Living Standard. URL: <a href="https://fetch.spec.whatwg.org/">https://fetch.spec.whatwg.org/</a></dd><dt id="bib-h-app">[h-app]</dt><dd><a href="https://microformats.org/wiki/h-app"><cite>h-app</cite></a>. Aaron Parecki.  microformats.org. Living Specification. URL: <a href="https://microformats.org/wiki/h-app">https://microformats.org/wiki/h-app</a></dd><dt id="bib-html">[HTML]</dt><dd><a href="https://html.spec.whatwg.org/multipage/"><cite>HTML Standard</cite></a>. Anne van Kesteren; Domenic Denicola; Ian Hickson; Philip Jägenstedt; Simon Pieters.  WHATWG. Living Standard. URL: <a href="https://html.spec.whatwg.org/multipage/">https://html.spec.whatwg.org/multipage/</a></dd><dt id="bib-rfc2119">[RFC2119]</dt><dd><a href="https://tools.ietf.org/html/rfc2119"><cite>Key words for use in RFCs to Indicate Requirement Levels</cite></a>. S. Bradner.  IETF. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a></dd><dt id="bib-rfc6749">[RFC6749]</dt><dd><a href="https://tools.ietf.org/html/rfc6749"><cite>The OAuth 2.0 Authorization Framework</cite></a>. D. Hardt, Ed..  IETF. October 2012. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc6749">https://tools.ietf.org/html/rfc6749</a></dd><dt id="bib-rfc6750">[RFC6750]</dt><dd><a href="https://tools.ietf.org/html/rfc6750"><cite>The OAuth 2.0 Authorization Framework: Bearer Token Usage</cite></a>. M. Jones; D. Hardt.  IETF. October 2012. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc6750">https://tools.ietf.org/html/rfc6750</a></dd><dt id="bib-rfc7009">[RFC7009]</dt><dd><a href="https://tools.ietf.org/html/rfc7009"><cite>OAuth 2.0 Token Revocation</cite></a>. T. Lodderstedt, Ed.; S. Dronia; M. Scurtescu.  IETF. August 2013. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7009">https://tools.ietf.org/html/rfc7009</a></dd><dt id="bib-rfc7159">[RFC7159]</dt><dd><a href="https://tools.ietf.org/html/rfc7159"><cite>The JavaScript Object Notation (JSON) Data Interchange Format</cite></a>. T. Bray, Ed..  IETF. March 2014. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7159">https://tools.ietf.org/html/rfc7159</a></dd><dt id="bib-rfc7231">[RFC7231]</dt><dd><a href="https://httpwg.org/specs/rfc7231.html"><cite>Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</cite></a>. R. Fielding, Ed.; J. Reschke, Ed..  IETF. June 2014. Proposed Standard. URL: <a href="https://httpwg.org/specs/rfc7231.html">https://httpwg.org/specs/rfc7231.html</a></dd><dt id="bib-rfc8288">[RFC8288]</dt><dd><a href="https://httpwg.org/specs/rfc8288.html"><cite>Web Linking</cite></a>. M. Nottingham.  IETF. October 2017. Proposed Standard. URL: <a href="https://httpwg.org/specs/rfc8288.html">https://httpwg.org/specs/rfc8288.html</a></dd><dt id="bib-url">[URL]</dt><dd><a href="https://url.spec.whatwg.org/"><cite>URL Standard</cite></a>. Anne van Kesteren.  WHATWG. Living Standard. URL: <a href="https://url.spec.whatwg.org/">https://url.spec.whatwg.org/</a></dd>
+    </dl></section><section id="informative-references">
+      <h3 id="d-2-informative-references"><bdi class="secno">D.2 </bdi>
+        Informative references
+      <a class="self-link" aria-label="§" href="#informative-references"></a></h3>
+    <dl class="bibliography">
+      <dt id="bib-micropub">[Micropub]</dt><dd><a href="https://www.w3.org/TR/micropub/"><cite>Micropub</cite></a>. Aaron Parecki.  W3C. 23 May 2017. W3C Recommendation. URL: <a href="https://www.w3.org/TR/micropub/">https://www.w3.org/TR/micropub/</a></dd><dt id="bib-relmeauth">[RelMeAuth]</dt><dd><a href="https://microformats.org/wiki/RelMeAuth"><cite>RelMeAuth</cite></a>. Tantek Çelik.  microformats.org. Living Specification. URL: <a href="https://microformats.org/wiki/RelMeAuth">https://microformats.org/wiki/RelMeAuth</a></dd><dt id="bib-rfc6819">[RFC6819]</dt><dd><a href="https://tools.ietf.org/html/rfc6819"><cite>OAuth 2.0 Threat Model and Security Considerations</cite></a>. T. Lodderstedt, Ed.; M. McGloin; P. Hunt.  IETF. January 2013. Informational. URL: <a href="https://tools.ietf.org/html/rfc6819">https://tools.ietf.org/html/rfc6819</a></dd>
+    </dl></section></section><p role="navigation" id="back-to-top">
+    <a href="#title"><abbr title="Back to Top">↑</abbr></a>
+  </p><script src="https://www.w3.org/scripts/TR/2016/fixup.js"></script></body></html>
\ No newline at end of file
diff --git a/public/spec/20200926/index.html b/public/spec/20200926/index.html
new file mode 100644
index 0000000..1138aed
--- /dev/null
+++ b/public/spec/20200926/index.html
@@ -0,0 +1,976 @@
+<!DOCTYPE html><html lang="en" dir="ltr"><head><meta charset="utf-8"><meta name="generator" content="ReSpec 25.6.0"><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><style>span.example-title{text-transform:none}aside.example,div.example,div.illegal-example{padding:.5em;margin:1em 0;position:relative;clear:both}div.illegal-example{color:red}div.illegal-example p{color:#000}aside.example,div.example{padding:.5em;border-left-width:.5em;border-left-style:solid;border-color:#e0cb52;background:#fcfaee}aside.example div.example{border-left-width:.1em;border-color:#999;background:#fff}aside.example div.example span.example-title{color:#999}</style>
+    <title>IndieAuth</title>
+    
+    
+    
+    
+    
+    <link rel="pingback" href="https://indieauth.net/pingback">
+    <link rel="webmention" href="https://indieauth.net/webmention">
+  <style id="respec-mainstyle">@keyframes pop{0%{transform:scale(1,1)}25%{transform:scale(1.25,1.25);opacity:.75}100%{transform:scale(1,1)}}.hljs{background:0 0!important}a abbr,h1 abbr,h2 abbr,h3 abbr,h4 abbr,h5 abbr,h6 abbr{border:none}dfn{font-weight:700}a.internalDFN{color:inherit;border-bottom:1px solid #99c;text-decoration:none}a.externalDFN{color:inherit;border-bottom:1px dotted #ccc;text-decoration:none}a.bibref{text-decoration:none}.respec-offending-element:target{animation:pop .25s ease-in-out 0s 1}.respec-offending-element,a[href].respec-offending-element{text-decoration:red wavy underline}@supports not (text-decoration:red wavy underline){.respec-offending-element:not(pre){display:inline-block}.respec-offending-element{background:url(data:image/gif;base64,R0lGODdhBAADAPEAANv///8AAP///wAAACwAAAAABAADAEACBZQjmIAFADs=) bottom repeat-x}}#references :target{background:#eaf3ff;animation:pop .4s ease-in-out 0s 1}cite .bibref{font-style:normal}code{color:#c63501}th code{color:inherit}a[href].orcid{padding-left:4px;padding-right:4px}a[href].orcid>svg{margin-bottom:-2px}.toc a,.tof a{text-decoration:none}a .figno,a .secno{color:#000}ol.tof,ul.tof{list-style:none outside none}.caption{margin-top:.5em;font-style:italic}table.simple{border-spacing:0;border-collapse:collapse;border-bottom:3px solid #005a9c}.simple th{background:#005a9c;color:#fff;padding:3px 5px;text-align:left}.simple th a{color:#fff;padding:3px 5px;text-align:left}.simple th[scope=row]{background:inherit;color:inherit;border-top:1px solid #ddd}.simple td{padding:3px 10px;border-top:1px solid #ddd}.simple tr:nth-child(even){background:#f0f6ff}.section dd>p:first-child{margin-top:0}.section dd>p:last-child{margin-bottom:0}.section dd{margin-bottom:1em}.section dl.attrs dd,.section dl.eldef dd{margin-bottom:0}#issue-summary>ul,.respec-dfn-list{column-count:2}#issue-summary li,.respec-dfn-list li{list-style:none}details.respec-tests-details{margin-left:1em;display:inline-block;vertical-align:top}details.respec-tests-details>*{padding-right:2em}details.respec-tests-details[open]{z-index:999999;position:absolute;border:thin solid #cad3e2;border-radius:.3em;background-color:#fff;padding-bottom:.5em}details.respec-tests-details[open]>summary{border-bottom:thin solid #cad3e2;padding-left:1em;margin-bottom:1em;line-height:2em}details.respec-tests-details>ul{width:100%;margin-top:-.3em}details.respec-tests-details>li{padding-left:1em}a[href].self-link:hover{opacity:1;text-decoration:none;background-color:transparent}h2,h3,h4,h5,h6{position:relative}aside.example .marker>a.self-link{color:inherit}h2>a.self-link,h3>a.self-link,h4>a.self-link,h5>a.self-link,h6>a.self-link{border:none;color:inherit;font-size:83%;height:2em;left:-1.6em;opacity:.5;position:absolute;text-align:center;text-decoration:none;top:0;transition:opacity .2s;width:2em}h2>a.self-link::before,h3>a.self-link::before,h4>a.self-link::before,h5>a.self-link::before,h6>a.self-link::before{content:"§";display:block}@media (max-width:767px){dd{margin-left:0}h2>a.self-link,h3>a.self-link,h4>a.self-link,h5>a.self-link,h6>a.self-link{left:auto;top:auto}}@media print{.removeOnSave{display:none}}</style><meta name="description" content="IndieAuth is an identity layer on top of OAuth 2.0 [RFC6749], primarily used to obtain
+        an OAuth 2.0 Bearer Token [RFC6750] for use by [Micropub] clients. End-Users
+        and Clients are all represented by URLs. IndieAuth enables Clients to
+        verify the identity of an End-User, as well as to obtain an access
+        token that can be used to access resources under the control of the End-User."><link rel="canonical" href="https://www.w3.org/TR/indieauth/"><style>.hljs{display:block;overflow-x:auto;padding:.5em;color:#383a42;background:#fafafa}.hljs-comment,.hljs-quote{color:#717277;font-style:italic}.hljs-doctag,.hljs-formula,.hljs-keyword{color:#a626a4}.hljs-deletion,.hljs-name,.hljs-section,.hljs-selector-tag,.hljs-subst{color:#ca4706;font-weight:700}.hljs-literal{color:#0b76c5}.hljs-addition,.hljs-attribute,.hljs-meta-string,.hljs-regexp,.hljs-string{color:#42803c}.hljs-built_in,.hljs-class .hljs-title{color:#9a6a01}.hljs-attr,.hljs-number,.hljs-selector-attr,.hljs-selector-class,.hljs-selector-pseudo,.hljs-template-variable,.hljs-type,.hljs-variable{color:#986801}.hljs-bullet,.hljs-link,.hljs-meta,.hljs-selector-id,.hljs-symbol,.hljs-title{color:#336ae3}.hljs-emphasis{font-style:italic}.hljs-strong{font-weight:700}.hljs-link{text-decoration:underline}</style><style>var{position:relative;cursor:pointer}var[data-type]::after,var[data-type]::before{position:absolute;left:50%;top:-6px;opacity:0;transition:opacity .4s;pointer-events:none}var[data-type]::before{content:"";transform:translateX(-50%);border-width:4px 6px 0 6px;border-style:solid;border-color:transparent;border-top-color:#000}var[data-type]::after{content:attr(data-type);transform:translateX(-50%) translateY(-100%);background:#000;text-align:center;font-family:"Dank Mono","Fira Code",monospace;font-style:normal;padding:6px;border-radius:3px;color:#daca88;text-indent:0;font-weight:400}var[data-type]:hover::after,var[data-type]:hover::before{opacity:1}</style><script id="initialUserConfig" type="application/json">{
+  "useExperimentalStyles": true,
+  "publishDate": "2020-09-26",
+  "specStatus": "NOTE",
+  "previousPublishDate": "2020-08-09",
+  "previousMaturity": "LS",
+  "previousVersionURL": "https://indieauth.spec.indieweb.org/20200809/",
+  "shortName": "indieauth",
+  "lsURI": "https://indieauth.spec.indieweb.org/",
+  "testSuiteURI": "https://indieauth.rocks/",
+  "editors": [
+    {
+      "name": "Aaron Parecki",
+      "url": "https://aaronparecki.com/",
+      "w3cid": "59996"
+    }
+  ],
+  "wg": "Social Web Working Group",
+  "wgURI": "https://www.w3.org/Social/WG",
+  "wgPublicList": "public-socialweb",
+  "wgPatentURI": "https://www.w3.org/2004/01/pp-impl/72531/status",
+  "errata": "https://indieauth.net/errata",
+  "license": "w3c-software-doc",
+  "postProcess": [
+    null,
+    null
+  ],
+  "maxTocLevel": 3,
+  "otherLinks": [
+    {
+      "key": "Repository",
+      "data": [
+        {
+          "value": "Github",
+          "href": "https://github.com/indieweb/indieauth"
+        },
+        {
+          "value": "Issues",
+          "href": "https://github.com/indieweb/indieauth/issues"
+        },
+        {
+          "value": "Commits",
+          "href": "https://github.com/indieweb/indieauth/commits/master"
+        }
+      ]
+    }
+  ],
+  "localBiblio": {
+    "microformats2-parsing": {
+      "title": "Microformats2 Parsing",
+      "href": "https://microformats.org/wiki/microformats2-parsing",
+      "authors": [
+        "Tantek Çelik"
+      ],
+      "status": "Living Specification",
+      "publisher": "microformats.org"
+    },
+    "h-entry": {
+      "title": "h-entry",
+      "href": "https://microformats.org/wiki/h-entry",
+      "authors": [
+        "Tantek Çelik"
+      ],
+      "status": "Living Specification",
+      "publisher": "microformats.org"
+    },
+    "h-app": {
+      "title": "h-app",
+      "href": "https://microformats.org/wiki/h-app",
+      "authors": [
+        "Aaron Parecki"
+      ],
+      "status": "Living Specification",
+      "publisher": "microformats.org",
+      "id": "h-app"
+    },
+    "RelMeAuth": {
+      "title": "RelMeAuth",
+      "href": "https://microformats.org/wiki/RelMeAuth",
+      "authors": [
+        "Tantek Çelik"
+      ],
+      "status": "Living Specification",
+      "publisher": "microformats.org",
+      "id": "relmeauth"
+    },
+    "XFN11": {
+      "title": "XFN 1.1",
+      "href": "https://gmpg.org/xfn/11",
+      "authors": [
+        "Tantek Çelik",
+        "Matthew Mullenweg",
+        "Eric Meyer"
+      ],
+      "status": "Stable",
+      "publisher": "Global Multimedia Protocols Group"
+    },
+    "URL": {
+      "title": "URL Standard",
+      "href": "https://url.spec.whatwg.org/",
+      "authors": [
+        "Anne van Kesteren"
+      ],
+      "status": "Living Standard",
+      "publisher": "WHATWG",
+      "id": "url"
+    }
+  },
+  "publishISODate": "2020-09-26T00:00:00.000Z",
+  "generatedSubtitle": "Working Group Note 26 September 2020"
+}</script><link rel="stylesheet" href="https://www.w3.org/StyleSheets/TR/2016/W3C-NOTE"></head>
+  <body class="h-entry informative" style="background-image: url(&quot;https://spec.indieweb.org/INDIEWEB-LIVING-STANDARD.svg&quot;);"><div class="head">
+    <a class="logo" href="https://www.w3.org/"><img alt="W3C" width="120" height="100" src="https://spec.indieweb.org/index_files/logo.svg"></a> <h1 id="title" class="title">IndieAuth</h1>
+    
+    <h2>IndieWeb Living Standard 26 September 2020</h2>
+    <dl>
+      <dt>This version:</dt><dd>
+              <a class="u-url" href="https://indieauth.spec.indieweb.org/20200926/">https://indieauth.spec.indieweb.org/20200926/</a>
+            </dd>
+      
+      <dt>Test suite:</dt><dd><a href="https://indieauth.rocks/">https://indieauth.rocks/</a></dd>
+      
+      
+      <dt>Previous version:</dt><dd><a href="https://indieauth.spec.indieweb.org/20200809/">https://indieauth.spec.indieweb.org/20200809/</a></dd>
+      
+      <dt>Editor:</dt>
+      <dd class="p-author h-card vcard" data-editor-id="59996"><a class="u-url url p-name fn" href="https://aaronparecki.com/">Aaron Parecki</a></dd>
+      
+      
+      <dt>Repository:</dt><dd>
+    <a href="https://github.com/indieweb/indieauth">Github</a>
+  </dd><dd>
+    <a href="https://github.com/indieweb/indieauth/issues">Issues</a>
+  </dd><dd>
+    <a href="https://github.com/indieweb/indieauth/commits/master">Commits</a>
+  </dd>
+    </dl>
+    <p>
+          Please check the
+          <a href="https://indieauth.net/errata"><strong>errata</strong></a> for any errors or
+          issues reported since publication.
+        </p>
+    
+    
+    <p class="copyright"><b>License:</b> Per <a href="https://creativecommons.org/publicdomain/zero/1.0/">CC0</a>, to the extent possible under law, the editor(s) and contributors have waived all copyright and related or neighboring rights to this work. In addition, the editor(s) and contributors have made this specification available under the <a href="http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0">Open Web Foundation Agreement Version 1.0</a>.</p>
+    <hr title="Separator for header">
+  </div>
+    <section id="abstract" class="introductory"><h2>Abstract</h2>
+      <p id="abstract-p-1">
+        IndieAuth is an identity layer on top of OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>], primarily used to obtain
+        an OAuth 2.0 Bearer Token [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6750" title="The OAuth 2.0 Authorization Framework: Bearer Token Usage">RFC6750</a></cite>] for use by [<cite><a class="bibref" data-link-type="biblio" href="#bib-micropub" title="Micropub">Micropub</a></cite>] clients. End-Users
+        and Clients are all represented by URLs. IndieAuth enables Clients to
+        verify the identity of an End-User, as well as to obtain an access
+        token that can be used to access resources under the control of the End-User.
+      </p>
+
+      <section id="authorsnote" class="informative">
+        <h3 id="author-s-note">Author's Note<a class="self-link" aria-label="§" href="#authorsnote"></a></h3><p id="authorsnote-p-1"><em>This section is non-normative.</em></p>
+        <p id="authorsnote-p-2">This specification was contributed to the <abbr title="World Wide Web Consortium">W3C</abbr> from the
+          <a href="https://indieweb.org/">IndieWeb</a> community. More
+          history and evolution of IndieAuth can be found on the
+          <a href="https://indieweb.org/IndieAuth-spec">IndieWeb wiki</a>.</p>
+      </section>
+    </section>
+
+    <section id="sotd" class="introductory"><h2>Status of This Document</h2>
+    <p>This document was published by the IndieWeb community as a Living Standard.</p><p>Per <a href="https://creativecommons.org/publicdomain/zero/1.0/">CC0</a>, to the extent possible under law, the editor(s) and contributors have waived all copyright and related or neighboring rights to this work. In addition, the editor(s) and contributors have made this specification available under the <a href="http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0">Open Web Foundation Agreement Version 1.0</a>.</p></section><nav id="toc"><h2 class="introductory" id="table-of-contents">Table of Contents</h2><ol class="toc"><li class="tocline"><a class="tocxref" href="#introduction"><bdi class="secno">1. </bdi>Introduction</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#background"><bdi class="secno">1.1 </bdi>Background</a></li><li class="tocline"><a class="tocxref" href="#oauth-2-0-extension"><bdi class="secno">1.2 </bdi>OAuth 2.0 Extension</a></li></ol></li><li class="tocline"><a class="tocxref" href="#conformance"><bdi class="secno">2. </bdi>Conformance</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#conformance-classes"><bdi class="secno">2.1 </bdi>Conformance Classes</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#authorization-endpoint"><bdi class="secno">2.1.1 </bdi>Authorization Endpoint</a></li><li class="tocline"><a class="tocxref" href="#token-endpoint"><bdi class="secno">2.1.2 </bdi>Token Endpoint</a></li><li class="tocline"><a class="tocxref" href="#micropub-client"><bdi class="secno">2.1.3 </bdi>Micropub Client</a></li><li class="tocline"><a class="tocxref" href="#indieauth-client"><bdi class="secno">2.1.4 </bdi>IndieAuth Client</a></li></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#identifiers"><bdi class="secno">3. </bdi>Identifiers</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#user-profile-url"><bdi class="secno">3.1 </bdi>User Profile URL</a></li><li class="tocline"><a class="tocxref" href="#client-identifier"><bdi class="secno">3.2 </bdi>Client Identifier</a></li><li class="tocline"><a class="tocxref" href="#url-canonicalization"><bdi class="secno">3.3 </bdi>URL Canonicalization</a></li></ol></li><li class="tocline"><a class="tocxref" href="#discovery"><bdi class="secno">4. </bdi>Discovery</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#discovery-by-clients"><bdi class="secno">4.1 </bdi>Discovery by Clients</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#redirect-examples"><bdi class="secno">4.1.1 </bdi>Redirect Examples</a><ol class="toc"></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#client-information-discovery"><bdi class="secno">4.2 </bdi>Client Information Discovery</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#application-information"><bdi class="secno">4.2.1 </bdi>Application Information</a></li><li class="tocline"><a class="tocxref" href="#redirect-url"><bdi class="secno">4.2.2 </bdi>Redirect URL</a></li></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#authorization"><bdi class="secno">5. </bdi>Authorization</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#discovery-0"><bdi class="secno">5.1 </bdi>Discovery</a></li><li class="tocline"><a class="tocxref" href="#authorization-request"><bdi class="secno">5.2 </bdi>Authorization Request</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#authorization-response"><bdi class="secno">5.2.1 </bdi>Authorization Response</a></li></ol></li><li class="tocline"><a class="tocxref" href="#redeeming-the-authorization-code"><bdi class="secno">5.3 </bdi>Redeeming the Authorization Code</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#request"><bdi class="secno">5.3.1 </bdi>Request</a></li><li class="tocline"><a class="tocxref" href="#profile-url-response"><bdi class="secno">5.3.2 </bdi>Profile URL Response</a></li><li class="tocline"><a class="tocxref" href="#access-token-response"><bdi class="secno">5.3.3 </bdi>Access Token Response</a></li><li class="tocline"><a class="tocxref" href="#profile-information"><bdi class="secno">5.3.4 </bdi>Profile Information</a></li></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#access-token-verification"><bdi class="secno">6. </bdi>Access Token Verification</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#access-token-verification-request"><bdi class="secno">6.1 </bdi>Access Token Verification Request</a></li><li class="tocline"><a class="tocxref" href="#access-token-verification-response"><bdi class="secno">6.2 </bdi>Access Token Verification Response</a></li></ol></li><li class="tocline"><a class="tocxref" href="#token-revocation"><bdi class="secno">7. </bdi>Token Revocation</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#token-revocation-request"><bdi class="secno">7.1 </bdi>Token Revocation Request</a></li></ol></li><li class="tocline"><a class="tocxref" href="#security-considerations"><bdi class="secno">8. </bdi>Security Considerations</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#differing-user-profile-urls"><bdi class="secno">8.1 </bdi>Differing User Profile URLs</a></li><li class="tocline"><a class="tocxref" href="#preventing-phishing-and-redirect-attacks"><bdi class="secno">8.2 </bdi>Preventing Phishing and Redirect Attacks</a></li></ol></li><li class="tocline"><a class="tocxref" href="#iana-considerations"><bdi class="secno">9. </bdi>IANA Considerations</a></li><li class="tocline"><a class="tocxref" href="#resources"><bdi class="secno">A. </bdi>Resources</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#articles"><bdi class="secno">A.1 </bdi>Articles</a></li><li class="tocline"><a class="tocxref" href="#implementations"><bdi class="secno">A.2 </bdi>Implementations</a></li></ol></li><li class="tocline"><a class="tocxref" href="#acknowledgements"><bdi class="secno">B. </bdi>Acknowledgements</a></li><li class="tocline"><a class="tocxref" href="#change-log"><bdi class="secno">C. </bdi>Change Log</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#changes-from-09-august-2020-to-this-version"><bdi class="secno">C.1 </bdi>Changes from 09 August 2020 to this version</a></li><li class="tocline"><a class="tocxref" href="#changes-from-25-january-2020-to-09-august-2020"><bdi class="secno">C.2 </bdi>Changes from 25 January 2020 to 09 August 2020</a></li><li class="tocline"><a class="tocxref" href="#changes-from-03-march-2019-to-25-january-2020"><bdi class="secno">C.3 </bdi>Changes from 03 March 2019 to 25 January 2020</a></li><li class="tocline"><a class="tocxref" href="#changes-from-07-july-2018-to-03-march-2019"><bdi class="secno">C.4 </bdi>Changes from 07 July 2018 to 03 March 2019</a></li><li class="tocline"><a class="tocxref" href="#changes-from-23-january-2018-to-07-july-2018"><bdi class="secno">C.5 </bdi>Changes from <span class="formerLink">23 January 2018</span> to 07 July 2018</a></li><li class="tocline"><a class="tocxref" href="#changes-from-07-july-2018-to-03-march-2019-0"><bdi class="secno">C.6 </bdi>Changes from 07 July 2018 to 03 March 2019</a></li></ol></li><li class="tocline"><a class="tocxref" href="#references"><bdi class="secno">D. </bdi>References</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#normative-references"><bdi class="secno">D.1 </bdi>
+        Normative references
+      </a></li><li class="tocline"><a class="tocxref" href="#informative-references"><bdi class="secno">D.2 </bdi>
+        Informative references
+      </a></li></ol></li></ol></nav>
+
+    <section id="introduction">
+      <h2 id="x1-introduction"><bdi class="secno">1. </bdi>Introduction<a class="self-link" aria-label="§" href="#introduction"></a></h2>
+
+      <section class="informative" id="background">
+        <h3 id="x1-1-background"><bdi class="secno">1.1 </bdi>Background<a class="self-link" aria-label="§" href="#background"></a></h3><p id="background-p-1"><em>This section is non-normative.</em></p>
+
+        <p id="background-p-2">The IndieAuth spec began as a way to obtain an OAuth 2.0 access token for use by Micropub clients. It can be used to both obtain an access token, as well as authenticate users signing to any application. It is built on top of the OAuth 2.0 framework, and while this document should provide enough guidance for implementers, referring to the core OAuth 2.0 spec can help answer any remaining questions. More information can be found <a href="https://indieweb.org/IndieAuth-spec">on the IndieWeb wiki</a>.</p>
+      </section>
+
+      <section class="normative" id="oauth-2-0-extension">
+        <h3 id="x1-2-oauth-2-0-extension"><bdi class="secno">1.2 </bdi>OAuth 2.0 Extension<a class="self-link" aria-label="§" href="#oauth-2-0-extension"></a></h3>
+
+        <p id="oauth-2-0-extension-p-1">IndieAuth builds upon the OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>] Framework as follows</p>
+
+        <ul>
+          <li id="oauth-2-0-extension-li-1">Specifies a format for user identifiers (a resolvable URL)</li>
+          <li id="oauth-2-0-extension-li-2">Specifies a method of discovering the authorization and token endpoints given a profile URL</li>
+          <li id="oauth-2-0-extension-li-3">Specifies a format for the Client ID (a resolvable URL)</li>
+          <li id="oauth-2-0-extension-li-4">All clients are public clients (no <code>client_secret</code> is used)</li>
+          <li id="oauth-2-0-extension-li-5">Client registration at the authorization endpoint is not necessary, since client IDs are resolvable URLs</li>
+          <li id="oauth-2-0-extension-li-6">Redirect URL registration happens by verifying data fetched at the Client ID URL</li>
+          <li id="oauth-2-0-extension-li-7">Specifies a mechanism for returning the user identifier and profile information for the user who authorized a request</li>
+        </ul>
+
+        <p id="oauth-2-0-extension-p-2">Additionally, the parameters defined by OAuth 2.0 (in particular <code>state</code>, <code>code</code>, and <code>scope</code>) follow the same syntax requirements as defined by Appendix A of OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>].</p>
+      </section>
+    </section>
+
+    <section class="normative" id="conformance">
+      <h2 id="x2-conformance"><bdi class="secno">2. </bdi>Conformance<a class="self-link" aria-label="§" href="#conformance"></a></h2>
+
+      <p id="conformance-p-1">The key words "<em class="rfc2119" title="MUST">MUST</em>", "<em class="rfc2119" title="MUST NOT">MUST NOT</em>", "<em class="rfc2119" title="REQUIRED">REQUIRED</em>", "<em class="rfc2119" title="SHALL">SHALL</em>", "<em class="rfc2119" title="SHALL NOT">SHALL NOT</em>",
+      "<em class="rfc2119" title="SHOULD">SHOULD</em>", "<em class="rfc2119" title="SHOULD NOT">SHOULD NOT</em>", "<em class="rfc2119" title="RECOMMENDED">RECOMMENDED</em>", "<em class="rfc2119" title="MAY">MAY</em>", and "<em class="rfc2119" title="OPTIONAL">OPTIONAL</em>" in this
+      document are to be interpreted as described in [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc2119" title="Key words for use in RFCs to Indicate Requirement Levels">RFC2119</a></cite>].</p>
+
+      <section id="conformance-classes">
+        <h3 id="x2-1-conformance-classes"><bdi class="secno">2.1 </bdi>Conformance Classes<a class="self-link" aria-label="§" href="#conformance-classes"></a></h3>
+
+        <p id="conformance-classes-p-1">An IndieAuth implementation can implement one or more of the roles of an IndieAuth server or client. This section describes the conformance criteria for each role.</p>
+
+        <p id="conformance-classes-p-2">Listed below are known types of IndieAuth implementations.</p>
+
+        <section id="authorization-endpoint">
+          <h4 id="x2-1-1-authorization-endpoint"><bdi class="secno">2.1.1 </bdi>Authorization Endpoint<a class="self-link" aria-label="§" href="#authorization-endpoint"></a></h4>
+          <p id="authorization-endpoint-p-1">An IndieAuth Authorization Endpoint is responsible for obtaining authentication or authorization consent from the end user and generating and verifying authorization codes.</p>
+        </section>
+
+        <section id="token-endpoint">
+          <h4 id="x2-1-2-token-endpoint"><bdi class="secno">2.1.2 </bdi>Token Endpoint<a class="self-link" aria-label="§" href="#token-endpoint"></a></h4>
+          <p id="token-endpoint-p-1">An IndieAuth Token Endpoint is responsible for generating and verifying OAuth 2.0 Bearer Tokens.</p>
+        </section>
+
+        <section id="micropub-client">
+          <h4 id="x2-1-3-micropub-client"><bdi class="secno">2.1.3 </bdi>Micropub Client<a class="self-link" aria-label="§" href="#micropub-client"></a></h4>
+          <p id="micropub-client-p-1">A Micropub client will attempt to obtain an OAuth 2.0 Bearer Token given an IndieAuth profile URL, and will use the token when making Micropub requests.</p>
+        </section>
+
+        <section id="indieauth-client">
+          <h4 id="x2-1-4-indieauth-client"><bdi class="secno">2.1.4 </bdi>IndieAuth Client<a class="self-link" aria-label="§" href="#indieauth-client"></a></h4>
+          <p id="indieauth-client-p-1">An IndieAuth client is a client that is attempting to authenticate a user given their profile URL, but does not need an OAuth 2.0 Bearer Token.</p>
+        </section>
+
+      </section>
+    </section>
+
+    <section class="normative" id="identifiers">
+      <h2 id="x3-identifiers"><bdi class="secno">3. </bdi>Identifiers<a class="self-link" aria-label="§" href="#identifiers"></a></h2>
+
+      <section id="user-profile-url">
+        <h3 id="x3-1-user-profile-url"><bdi class="secno">3.1 </bdi>User Profile URL<a class="self-link" aria-label="§" href="#user-profile-url"></a></h3>
+
+        <p id="user-profile-url-p-1">Users are identified by a [<cite><a class="bibref" data-link-type="biblio" href="#bib-url" title="URL Standard">URL</a></cite>]. Profile URLs <em class="rfc2119" title="MUST">MUST</em> have either an <code>https</code> or <code>http</code> scheme, <em class="rfc2119" title="MUST">MUST</em> contain a path component (<code>/</code> is a valid path), <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain single-dot or double-dot path segments, <em class="rfc2119" title="MAY">MAY</em> contain a query string component, <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain a fragment component, <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain a username or password component, and <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain a port. Additionally, hostnames <em class="rfc2119" title="MUST">MUST</em> be domain names and <em class="rfc2119" title="MUST NOT">MUST NOT</em> be ipv4 or ipv6 addresses.</p>
+
+        <p id="user-profile-url-p-2">Some examples of valid profile URLs are:</p>
+
+        <ul>
+          <li id="user-profile-url-li-1"><code>https://example.com/</code></li>
+          <li id="user-profile-url-li-2"><code>https://example.com/username</code></li>
+          <li id="user-profile-url-li-3"><code>https://example.com/users?id=100</code></li>
+        </ul>
+
+        <p id="user-profile-url-p-3">Some examples of invalid profile URLs are:</p>
+        <ul>
+          <li id="user-profile-url-li-4"><s><code>example.com</code></s> - missing scheme</li>
+          <li id="user-profile-url-li-5"><s><code>mailto:user@example.com</code></s> - invalid scheme</li>
+          <li id="user-profile-url-li-6"><s><code>https://example.com/foo/../bar</code></s> - contains a double-dot path segment</li>
+          <li id="user-profile-url-li-7"><s><code>https://example.com/#me</code></s> - contains a fragment</li>
+          <li id="user-profile-url-li-8"><s><code>https://user:pass@example.com/</code></s> - contains a username and password</li>
+          <li id="user-profile-url-li-9"><s><code>https://example.com:8443/</code></s> - contains a port</li>
+          <li id="user-profile-url-li-10"><s><code>https://172.28.92.51/</code></s> - host is an IP address</li>
+        </ul>
+      </section>
+
+      <section id="client-identifier">
+        <h3 id="x3-2-client-identifier"><bdi class="secno">3.2 </bdi>Client Identifier<a class="self-link" aria-label="§" href="#client-identifier"></a></h3>
+
+        <p id="client-identifier-p-1">Clients are identified by a [<cite><a class="bibref" data-link-type="biblio" href="#bib-url" title="URL Standard">URL</a></cite>]. Client identifier URLs <em class="rfc2119" title="MUST">MUST</em> have either an <code>https</code> or <code>http</code> scheme, <em class="rfc2119" title="MUST">MUST</em> contain a path component, <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain single-dot or double-dot path segments, <em class="rfc2119" title="MAY">MAY</em> contain a query string component, <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain a fragment component, <em class="rfc2119" title="MUST NOT">MUST NOT</em> contain a username or password component, and <em class="rfc2119" title="MAY">MAY</em> contain a port. Additionally, hostnames <em class="rfc2119" title="MUST">MUST</em> be domain names or a loopback interface and <em class="rfc2119" title="MUST NOT">MUST NOT</em> be IPv4 or IPv6 addresses except for IPv4 <code>127.0.0.1</code> or IPv6 <code>[::1]</code>.</p>
+      </section>
+
+      <section id="url-canonicalization">
+        <h3 id="x3-3-url-canonicalization"><bdi class="secno">3.3 </bdi>URL Canonicalization<a class="self-link" aria-label="§" href="#url-canonicalization"></a></h3>
+
+        <p id="url-canonicalization-p-1">Since IndieAuth uses https/http URLs which fall under what [<cite><a class="bibref" data-link-type="biblio" href="#bib-url" title="URL Standard">URL</a></cite>] calls "<a href="https://url.spec.whatwg.org/#special-scheme">Special URLs</a>", a string with no path component is not a valid [<cite><a class="bibref" data-link-type="biblio" href="#bib-url" title="URL Standard">URL</a></cite>]. As such, if a URL with no path component is ever encountered, it <em class="rfc2119" title="MUST">MUST</em> be treated as if it had the path <code>/</code>. For example, if a user enters <code>https://example.com</code> as their profile URL, the client <em class="rfc2119" title="MUST">MUST</em> transform it to <code>https://example.com/</code> when using it and comparing it.</p>
+
+        <p id="url-canonicalization-p-2">Since domain names are case insensitive, the hostname component of the URL <em class="rfc2119" title="MUST">MUST</em> be compared case insensitively. Implementations <em class="rfc2119" title="SHOULD">SHOULD</em> convert the hostname to lowercase when storing and using URLs.</p>
+
+        <p id="url-canonicalization-p-3">For ease of use, clients <em class="rfc2119" title="MAY">MAY</em> allow users to enter just a hostname part of the URL, in which case the client <em class="rfc2119" title="MUST">MUST</em> turn that into a valid URL before beginning the IndieAuth flow, by prepending either an <code>http</code> or <code>https</code> scheme and appending the path <code>/</code>. For example, if the user enters <code>example.com</code>, the client transforms it into <code>http://example.com/</code> before beginning discovery.</p>
+      </section>
+
+    </section>
+
+    <section class="normative" id="discovery">
+      <h2 id="x4-discovery"><bdi class="secno">4. </bdi>Discovery<a class="self-link" aria-label="§" href="#discovery"></a></h2>
+
+      <p id="discovery-p-1">This specification uses the link rel registry as defined by [<cite><a class="bibref" data-link-type="biblio" href="#bib-html" title="HTML Standard">HTML</a></cite>]
+        for both HTML and HTTP link relations.</p>
+
+      <section id="discovery-by-clients">
+        <h3 id="x4-1-discovery-by-clients"><bdi class="secno">4.1 </bdi>Discovery by Clients<a class="self-link" aria-label="§" href="#discovery-by-clients"></a></h3>
+
+        <p id="discovery-by-clients-p-1">Clients need to discover a few pieces of information when a user signs in. The client needs to discover the user's <code>authorization_endpoint</code>, and optionally <code>token_endpoint</code> if the client needs an access token. When using the Authorization flow to obtain an access token for use at a [<cite><a class="bibref" data-link-type="biblio" href="#bib-micropub" title="Micropub">Micropub</a></cite>] endpoint, the client will also discover the <code>micropub</code> endpoint.</p>
+
+        <p id="discovery-by-clients-p-2">Clients <em class="rfc2119" title="MUST">MUST</em> start by making a GET or HEAD request to [<cite><a class="bibref" data-link-type="biblio" href="#bib-fetch" title="Fetch Standard">Fetch</a></cite>] the user's profile URL to discover the necessary values. Clients <em class="rfc2119" title="MUST">MUST</em> follow HTTP redirects (up to a self-imposed limit). If one or more successive HTTP permanent redirects (HTTP 301 or 308) are encountered starting with the very first request, the client <em class="rfc2119" title="MUST">MUST</em> use the final permanent redirection's target URL as the canonical profile URL. If any other redirection (such as HTTP 302, 303, or 307) is encountered, it must still be resolved for endpoint discovery, but this redirection does not modify the canonical profile URL, nor do subsequent permanent redirects.</p>
+
+        <p id="discovery-by-clients-p-3">Clients <em class="rfc2119" title="MUST">MUST</em> check for an HTTP <code>Link</code> header [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc8288" title="Web Linking">RFC8288</a></cite>] with the appropriate <code>rel</code> value. If the content type of the document is HTML, then the client <em class="rfc2119" title="MUST">MUST</em> check for an HTML <code>&lt;link&gt;</code> element with the appropriate <code>rel</code> value. If more than one of these is present, the first HTTP <code>Link</code> header takes precedence, followed by the first <code>&lt;link&gt;</code> element in document order.</p>
+
+        <p id="discovery-by-clients-p-4">The endpoints discovered <em class="rfc2119" title="MAY">MAY</em> be relative URLs, in which case the client <em class="rfc2119" title="MUST">MUST</em> resolve them relative to the current document URL according to [<cite><a class="bibref" data-link-type="biblio" href="#bib-url" title="URL Standard">URL</a></cite>].</p>
+
+        <p id="discovery-by-clients-p-5">Clients <em class="rfc2119" title="MAY">MAY</em> initially make an HTTP HEAD request [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7231" title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">RFC7231</a></cite>] to follow redirects and check for the <code>Link</code> header before making a GET request.</p>
+
+        <section id="redirect-examples">
+          <h4 id="x4-1-1-redirect-examples"><bdi class="secno">4.1.1 </bdi>Redirect Examples<a class="self-link" aria-label="§" href="#redirect-examples"></a></h4>
+
+          <section id="http-to-https">
+            <h5 id="x4-1-1-1-http-to-https"><bdi class="secno">4.1.1.1 </bdi>http to https<a class="self-link" aria-label="§" href="#http-to-https"></a></h5>
+            <p id="http-to-https-p-1">In this example, the user enters <code>example.com</code> in the sign-in form, so the client initially transforms that to <code>http://example.com/</code> to perform discovery. The URL <code>http://example.com/</code> returns an HTTP 301 permanent redirect to <code>https://example.com/</code>, so the client updates the initial profile URL to <code>https://example.com/</code>, and looks at the contents of that page to find the authorization endpoint.</p>
+          </section>
+
+          <section id="www-to-no-www">
+            <h5 id="x4-1-1-2-www-to-no-www"><bdi class="secno">4.1.1.2 </bdi>www to no-www<a class="self-link" aria-label="§" href="#www-to-no-www"></a></h5>
+            <p id="www-to-no-www-p-1">In this example, the user enters <code>www.example.com</code> in the sign-in form, so the client initially transforms that to <code>http://www.example.com/</code> to perform discovery. The URL <code>http://www.example.com/</code> returns an HTTP 301 permanent redirect to <code>https://example.com/</code>, so the client updates the initial profile URL to <code>https://example.com/</code>, and looks at the contents of that page to find the authorization endpoint.</p>
+          </section>
+
+          <section id="temporary-redirect">
+            <h5 id="x4-1-1-3-temporary-redirect"><bdi class="secno">4.1.1.3 </bdi>Temporary Redirect<a class="self-link" aria-label="§" href="#temporary-redirect"></a></h5>
+            <p id="temporary-redirect-p-1">In this example, the user enters <code>example.com</code> in the sign-in form, so the client initially transforms that to <code>http://example.com/</code> to perform discovery. The URL <code>http://example.com/</code> returns an HTTP 301 permanent redirect to <code>https://example.com/</code>, and <code>https://example.com/</code> returns an HTTP 302 temporary redirect to <code>https://example.com/username</code>. The client stores the last 301 permanent redirect as the profile URL, <code>https://example.com/</code>, and uses the contents of <code>https://example.com/username</code> to find the authorization endpoint.</p>
+          </section>
+
+          <section id="permanent-redirect-to-a-different-domain">
+            <h5 id="x4-1-1-4-permanent-redirect-to-a-different-domain"><bdi class="secno">4.1.1.4 </bdi>Permanent Redirect to a Different Domain<a class="self-link" aria-label="§" href="#permanent-redirect-to-a-different-domain"></a></h5>
+            <p id="permanent-redirect-to-a-different-domain-p-1">In this example, the user enters <code>username.example</code> in the sign-in form, so the client initially transforms that to <code>http://username.example/</code> to perform discovery. However, the user does not host any content there, and instead that page is a redirect to their profile elsewhere. The URL <code>http://username.example/</code> returns an HTTP 301 permanent redirect to <code>https://example.com/username</code>, so the client updates the initial profile URL to <code>https://example.com/username</code> when setting the <code>me</code> parameter in the initial request. At the end of the flow, the authorization endpoint will return a <code>me</code> value of <code>https://example.com/username</code>, which is not on the same domain as what the user entered, but the client can accept it because of the HTTP 301 redirect encountered during discovery.</p>
+          </section>
+
+          <section id="temporary-redirect-to-a-different-domain">
+            <h5 id="x4-1-1-5-temporary-redirect-to-a-different-domain"><bdi class="secno">4.1.1.5 </bdi>Temporary Redirect to a Different Domain<a class="self-link" aria-label="§" href="#temporary-redirect-to-a-different-domain"></a></h5>
+            <p id="temporary-redirect-to-a-different-domain-p-1">In this example, the user enters <code>username.example</code> in the sign-in form, so the client initially transforms that to <code>http://username.example/</code> to perform discovery. However, the user does not host any content there, and instead that page is a temporary redirect to their profile elsewhere. The URL <code>http://username.example/</code> returns an HTTP 302 temporary redirect to <code>https://example.com/username</code>, so the client discovers the authorization endpoint at that URL. Since the redirect is temporary, the client still uses the user-entered <code>http://username.example/</code> when setting the <code>me</code> parameter in the initial request. At the end of the flow, the authorization endpoint will return a <code>me</code> value of <code>https://username.example/</code>, which is not on the same domain as the authorization endpoint, but is the same domain as the user entered. This allows users to still use a profile URL under their control while delegating the authentication or authorization flow to an external account.</p>
+          </section>
+        </section>
+      </section>
+
+      <section id="client-information-discovery">
+        <h3 id="x4-2-client-information-discovery"><bdi class="secno">4.2 </bdi>Client Information Discovery<a class="self-link" aria-label="§" href="#client-information-discovery"></a></h3>
+
+        <p id="client-information-discovery-p-1">When an authorization server presents its <a href="https://www.oauth.com/oauth2-servers/authorization/the-authorization-interface/">authorization interface</a>, it will often want to display some additional information about the client beyond just the <code>client_id</code> URL, in order to better inform the user about the request being made. Additionally, the authorization server needs to know the list of redirect URLs that the client is allowed to redirect to.</p>
+
+        <p id="client-information-discovery-p-2">Since client identifiers are URLs, the authorization server <em class="rfc2119" title="SHOULD">SHOULD</em> [<cite><a class="bibref" data-link-type="biblio" href="#bib-fetch" title="Fetch Standard">Fetch</a></cite>] the URL to find more information about the client.</p>
+
+        <section id="application-information">
+          <h4 id="x4-2-1-application-information"><bdi class="secno">4.2.1 </bdi>Application Information<a class="self-link" aria-label="§" href="#application-information"></a></h4>
+
+          <p id="application-information-p-1">Clients <em class="rfc2119" title="SHOULD">SHOULD</em> have a web page at their <code>client_id</code> URL with basic information about the application, at least the application's name and icon. This page serves as a good landing page for human visitors, but can also serve as the place to include machine-readable information about the application. The HTML on the <code>client_id</code> URL <em class="rfc2119" title="SHOULD">SHOULD</em> be marked up with [<cite><a class="bibref" data-link-type="biblio" href="#bib-h-app" title="h-app">h-app</a></cite>] Microformat to indicate the name and icon of the application. Authorization servers <em class="rfc2119" title="SHOULD">SHOULD</em> support parsing the [<cite><a class="bibref" data-link-type="biblio" href="#bib-h-app" title="h-app">h-app</a></cite>] Microformat from the <code>client_id</code>, and if there is an [<cite><a class="bibref" data-link-type="biblio" href="#bib-h-app" title="h-app">h-app</a></cite>] with a <code>url</code> property matching the <code>client_id</code> URL, then it should use the name and icon and display them on the authorization prompt.</p>
+
+          <div class="example" id="example-1">
+        <div class="marker">
+    <a class="self-link" href="#example-1">Example<bdi> 1</bdi></a>
+  </div> <pre aria-busy="false"><code class="hljs javascript">&lt;div <span class="hljs-class"><span class="hljs-keyword">class</span></span>=<span class="hljs-string">"h-app"</span>&gt;
+  <span class="xml"><span class="hljs-tag">&lt;<span class="hljs-name">img</span> <span class="hljs-attr">src</span>=<span class="hljs-string">"/logo.png"</span> <span class="hljs-attr">class</span>=<span class="hljs-string">"u-logo"</span>&gt;</span>
+  <span class="hljs-tag">&lt;<span class="hljs-name">a</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"/"</span> <span class="hljs-attr">class</span>=<span class="hljs-string">"u-url p-name"</span>&gt;</span>Example App<span class="hljs-tag">&lt;/<span class="hljs-name">a</span>&gt;</span>
+<span class="hljs-tag">&lt;/<span class="hljs-name">div</span>&gt;</span></span></code></pre>
+      </div>
+
+          <p id="application-information-p-2">This can be parsed with a <a href="http://microformats.org/wiki/microformats2#Parsers">Microformats2 parser</a>, which will result in the following JSON structure.</p>
+
+          <div class="example" id="example-2">
+        <div class="marker">
+    <a class="self-link" href="#example-2">Example<bdi> 2</bdi></a>
+  </div> <pre aria-busy="false"><code class="hljs json">{
+  <span class="hljs-attr">"type"</span>: [
+    <span class="hljs-string">"h-app"</span>
+  ],
+  <span class="hljs-attr">"properties"</span>: {
+    <span class="hljs-attr">"name"</span>: [<span class="hljs-string">"Example App"</span>],
+    <span class="hljs-attr">"logo"</span>: [<span class="hljs-string">"https://app.example.com/logo.png"</span>],
+    <span class="hljs-attr">"url"</span>: [<span class="hljs-string">"https://app.example.com/"</span>]
+  }
+}</code></pre>
+      </div>
+        </section>
+
+        <section id="redirect-url">
+          <h4 id="x4-2-2-redirect-url"><bdi class="secno">4.2.2 </bdi>Redirect URL<a class="self-link" aria-label="§" href="#redirect-url"></a></h4>
+
+          <p id="redirect-url-p-1">If a client wishes to use a redirect URL that is on a different domain than their <code>client_id</code>, or if the redirect URL uses a custom scheme (such as when the client is a native application), then the client will need to whitelist those redirect URLs so that authorization endpoints can be sure it is safe to redirect users there. The client <em class="rfc2119" title="SHOULD">SHOULD</em> publish one or more <code>&lt;link&gt;</code> tags or <code>Link</code> HTTP headers with a <code>rel</code> attribute of <code>redirect_uri</code> at the <code>client_id</code> URL.</p>
+
+          <p id="redirect-url-p-2">Authorization endpoints verifying that a <code>redirect_uri</code> is allowed for use by a client <em class="rfc2119" title="MUST">MUST</em> look for an exact match of the given <code>redirect_uri</code> in the request against the list of <code>redirect_uri</code>s discovered after resolving any relative URLs.</p>
+
+          <div class="example" id="example-3">
+        <div class="marker">
+    <a class="self-link" href="#example-3">Example<bdi> 3</bdi></a>
+  </div> <pre aria-busy="false"><code class="hljs http"><span class="hljs-keyword">GET</span> <span class="hljs-string">/</span> HTTP/1.1
+<span class="hljs-attribute">Host</span>: app.example.com
+
+<span class="http">HTTP/1.1 <span class="hljs-number">200</span> Ok
+<span class="hljs-attribute">Content-type</span>: text/html; charset=utf-8
+<span class="hljs-attribute">Link</span>: &lt;https://app.example.com/redirect&gt;; rel="redirect_uri"
+
+<span class="xml"><span class="hljs-meta">&lt;!doctype <span class="hljs-meta-keyword">html</span>&gt;</span>
+<span class="hljs-tag">&lt;<span class="hljs-name">html</span>&gt;</span>
+  <span class="hljs-tag">&lt;<span class="hljs-name">head</span>&gt;</span>
+    <span class="hljs-tag">&lt;<span class="hljs-name">link</span> <span class="hljs-attr">rel</span>=<span class="hljs-string">"redirect_uri"</span> <span class="hljs-attr">href</span>=<span class="hljs-string">"/redirect"</span>&gt;</span>
+  <span class="hljs-tag">&lt;/<span class="hljs-name">head</span>&gt;</span>
+  ...
+<span class="hljs-tag">&lt;/<span class="hljs-name">html</span>&gt;</span></span></span></code></pre>
+      </div>
+        </section>
+
+      </section>
+
+    </section>
+
+    <section class="normative" id="authorization">
+      <h2 id="x5-authorization"><bdi class="secno">5. </bdi>Authorization<a class="self-link" aria-label="§" href="#authorization"></a></h2>
+
+      <p id="authorization-p-1">This section describes how to authenticate users and optionally obtain an access token using the OAuth 2.0 Authorization Code Flow with IndieAuth.</p>
+
+
+      <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 1059 765" style="width: 100%; height: auto;"><defs></defs><g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g></g><g><rect fill="white" stroke="none" x="0" y="0" width="1059" height="765"></rect></g><g><text fill="black" stroke="none" font-family="Arial" font-size="16.5pt" font-style="normal" font-weight="normal" text-decoration="normal" x="339.62352710203197" y="24.50280495" text-anchor="start" dominant-baseline="alphabetic">IndieAuth Authorization Flow Diagram</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 52.77388084866407 95.887643371 L 52.77388084866407 765.6309786710002" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="12.565541,5.445067766666667"></path><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 345.71152869488805 95.887643371 L 345.71152869488805 765.6309786710002" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="12.565541,5.445067766666667"></path><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 586.4516209991198 95.887643371 L 586.4516209991198 765.6309786710002" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="12.565541,5.445067766666667"></path><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 807.065021948599 95.887643371 L 807.065021948599 765.6309786710002" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="12.565541,5.445067766666667"></path><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 983.1388990634076 95.887643371 L 983.1388990634076 765.6309786710002" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="12.565541,5.445067766666667"></path></g><g><path fill="none" stroke="none"></path><g><path fill="white" stroke="black" paint-order="fill stroke markers" d=" M 8.167601650000002 51.782594461 L 97.38016004732813 51.782594461 L 97.38016004732813 95.887643371 L 8.167601650000002 95.887643371 L 8.167601650000002 51.782594461 Z" stroke-miterlimit="10" stroke-width="2.613632528" stroke-dasharray=""></path></g><g><g></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="25.891297230500008" y="79.55244007099999" text-anchor="start" dominant-baseline="alphabetic">Browser</text></g><path fill="none" stroke="none"></path><g><path fill="white" stroke="black" paint-order="fill stroke markers" d=" M 309.2476902921224 51.782594461 L 382.17536709765363 51.782594461 L 382.17536709765363 95.887643371 L 309.2476902921224 95.887643371 L 309.2476902921224 51.782594461 Z" stroke-miterlimit="10" stroke-width="2.613632528" stroke-dasharray=""></path></g><g><g></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="326.9713858726224" y="79.55244007099999" text-anchor="start" dominant-baseline="alphabetic">Client</text></g><path fill="none" stroke="none"></path><g><path fill="white" stroke="black" paint-order="fill stroke markers" d=" M 536.5518618810221 51.782594461 L 636.3513801172174 51.782594461 L 636.3513801172174 95.887643371 L 536.5518618810221 95.887643371 L 536.5518618810221 51.782594461 Z" stroke-miterlimit="10" stroke-width="2.613632528" stroke-dasharray=""></path></g><g><g></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="554.2755574615221" y="79.55244007099999" text-anchor="start" dominant-baseline="alphabetic">User URL</text></g><path fill="none" stroke="none"></path><g><path fill="white" stroke="black" paint-order="fill stroke markers" d=" M 715.5833078744466 51.782594461 L 898.5467360227514 51.782594461 L 898.5467360227514 95.887643371 L 715.5833078744466 95.887643371 L 715.5833078744466 51.782594461 Z" stroke-miterlimit="10" stroke-width="2.613632528" stroke-dasharray=""></path></g><g><g></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="733.3070034549467" y="79.55244007099999" text-anchor="start" dominant-baseline="alphabetic">Authorization Endpoint</text></g><path fill="none" stroke="none"></path><g><path fill="white" stroke="black" paint-order="fill stroke markers" d=" M 914.8819393227514 51.782594461 L 1051.395858804064 51.782594461 L 1051.395858804064 95.887643371 L 914.8819393227514 95.887643371 L 914.8819393227514 51.782594461 Z" stroke-miterlimit="10" stroke-width="2.613632528" stroke-dasharray=""></path></g><g><g></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="932.6056349032514" y="79.55244007099999" text-anchor="start" dominant-baseline="alphabetic">Token Endpoint</text></g></g><g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="103.91131313175653" y="128.558049971" width="190.66278328003906" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="106.36159362675653" y="143.259732941" text-anchor="start" dominant-baseline="alphabetic">User enters their profile URL</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 52.77388084866407 149.793814261 L 345.71152869488805 149.793814261" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray=""></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 332.09885927822137 142.98747955266666 L 345.71152869488805 149.793814261 L 332.09885927822137 156.60014896933333 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="365.0415192665547" y="174.296619211" width="202.08011116089844" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="365.0415192665547" y="190.631822511" width="193.45447029175781" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="365.0415192665547" y="206.96702581099998" width="169.0593744665625" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="367.4917997615547" y="188.99830218099999" text-anchor="start" dominant-baseline="alphabetic">Client fetches URL to discover</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="367.4917997615547" y="205.33350548099997" text-anchor="start" dominant-baseline="alphabetic"></text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="bold" text-decoration="normal" x="367.4917997615547" y="205.33350548099997" text-anchor="start" dominant-baseline="alphabetic">rel=authorization_endpoint</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="556.0457090633125" y="205.33350548099997" text-anchor="start" dominant-baseline="alphabetic"></text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="367.4917997615547" y="221.66870878099996" text-anchor="start" dominant-baseline="alphabetic">and </text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="bold" text-decoration="normal" x="396.0243620174141" y="221.66870878099996" text-anchor="start" dominant-baseline="alphabetic">rel=token_endpoint</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="531.6506132381172" y="221.66870878099996" text-anchor="start" dominant-baseline="alphabetic"></text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 345.71152869488805 228.202790101 L 586.4516209991198 228.202790101" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray=""></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 572.8389515824531 221.39645539266667 L 586.4516209991198 228.202790101 L 572.8389515824531 235.00912480933334 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="72.10387142033075" y="252.705595051" width="254.27766670289063" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="72.10387142033075" y="269.040798351" width="243.54748786988281" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="74.55415191533075" y="267.40727802099997" text-anchor="start" dominant-baseline="alphabetic">Client builds authorization request and</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="74.55415191533075" y="283.74248132099996" text-anchor="start" dominant-baseline="alphabetic">redirects to </text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="bold" text-decoration="normal" x="151.13964691044794" y="283.74248132099996" text-anchor="start" dominant-baseline="alphabetic">authorization_endpoint</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="313.20107879521356" y="283.74248132099996" text-anchor="start" dominant-baseline="alphabetic"></text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 345.71152869488805 290.276562641 L 52.77388084866407 290.276562641" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="6.53408132"></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 66.38655026533074 283.47022793266666 L 52.77388084866407 290.276562641 L 66.38655026533074 297.08289734933334 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="188.6969083303894" y="314.779367591" width="482.44508613648435" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="191.14718882538938" y="329.48105056099996" text-anchor="start" dominant-baseline="alphabetic">User visits their authorization endpoint and sees the authorization request</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 52.77388084866407 336.015131881 L 807.065021948599 336.015131881" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray=""></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 793.4523525319323 329.20879717266666 L 807.065021948599 336.015131881 L 793.4523525319323 342.82146658933334 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="375.10486494393103" y="360.517936831" width="402.566820755625" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="377.55514543893105" y="375.21961980099996" text-anchor="start" dominant-baseline="alphabetic">Authorization endpoint fetches client information (name, icon)</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 807.065021948599 381.753701121 L 345.71152869488805 381.753701121" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray=""></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 359.3241981115547 374.94736641266667 L 345.71152869488805 381.753701121 L 359.3241981115547 388.56003582933334 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="217.22231421417845" y="406.256506071" width="305.6162592321875" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="217.22231421417845" y="422.591709371" width="425.3942743689062" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="219.67259470917844" y="420.95818904099997" text-anchor="start" dominant-baseline="alphabetic">User authenticates, and approves the request.</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="219.67259470917844" y="437.29339234099996" text-anchor="start" dominant-baseline="alphabetic">Authorization endpoint issues code, builds redirect back to client.</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 807.065021948599 443.827473661 L 52.77388084866407 443.827473661" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="6.53408132"></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 66.38655026533074 437.02113895266666 L 52.77388084866407 443.827473661 L 66.38655026533074 450.63380836933334 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="87.22556789249872" y="468.330278611" width="202.41652168335938" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="87.22556789249872" y="484.665481911" width="224.0342737585547" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="89.67584838749872" y="483.03196158099996" text-anchor="start" dominant-baseline="alphabetic">User's browser is redirected to</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="89.67584838749872" y="499.36716488099995" text-anchor="start" dominant-baseline="alphabetic">client with an </text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="bold" text-decoration="normal" x="178.49469604374872" y="499.36716488099995" text-anchor="start" dominant-baseline="alphabetic">authorization code</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="308.8095611560534" y="499.36716488099995" text-anchor="start" dominant-baseline="alphabetic"></text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 52.77388084866407 505.901246201 L 345.71152869488805 505.901246201" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray=""></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 332.09885927822137 499.09491149266665 L 345.71152869488805 505.901246201 L 332.09885927822137 512.7075809093333 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="520.9871709329759" y="530.4040511509999" width="286.8760858923437" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="520.9871709329759" y="546.7392544509999" width="270.5339228064062" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="520.9871709329759" y="563.0744577509998" width="145.91697944703125" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="523.4374514279759" y="545.1057341209998" text-anchor="start" dominant-baseline="alphabetic">Client exchanges authorization code for an </text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="523.4374514279759" y="561.4409374209998" text-anchor="start" dominant-baseline="alphabetic">access token by making a POST request</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="523.4374514279759" y="577.7761407209998" text-anchor="start" dominant-baseline="alphabetic">to the token_endpoint</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 345.71152869488805 584.3102220409999 L 983.1388990634076 584.3102220409999" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray=""></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 969.526229646741 577.5038873326665 L 983.1388990634076 584.3102220409999 L 969.526229646741 591.1165567493332 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="505.9299199564134" y="608.813026991" width="268.9448114782812" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="505.9299199564134" y="625.148230291" width="316.9905878454687" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="508.38020045141343" y="623.514709961" text-anchor="start" dominant-baseline="alphabetic">Token endpoint verifies code and returns</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="508.38020045141343" y="639.849913261" text-anchor="start" dominant-baseline="alphabetic">canonical user profile URL with an access token</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 983.1388990634076 646.383994581 L 345.71152869488805 646.383994581" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="6.53408132"></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 359.3241981115547 639.5776598726667 L 345.71152869488805 646.383994581 L 359.3241981115547 653.1903292893334 Z"></path></g><g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="106.74953182072137" y="670.8867995310002" width="184.98634590210938" height="21.23576429"></rect></g><g><path fill="none" stroke="none"></path><rect fill="white" stroke="none" x="106.74953182072137" y="687.2220028310002" width="164.6427942663672" height="21.23576429"></rect></g><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="109.19981231572137" y="685.5884825010002" text-anchor="start" dominant-baseline="alphabetic">Client initiates login session</text><text fill="black" stroke="none" font-family="Arial" font-size="11pt" font-style="normal" font-weight="normal" text-decoration="normal" x="109.19981231572137" y="701.9236858010001" text-anchor="start" dominant-baseline="alphabetic">and the user is logged in</text></g><g><path fill="none" stroke="black" paint-order="fill stroke markers" d=" M 345.71152869488805 708.4577671210002 L 52.77388084866407 708.4577671210002" stroke-miterlimit="10" stroke-width="1.3612669416666667" stroke-dasharray="6.53408132"></path><path fill="black" stroke="none" paint-order="stroke fill markers" d=" M 66.38655026533074 701.6514324126668 L 52.77388084866407 708.4577671210002 L 66.38655026533074 715.2641018293335 Z"></path></g></g><g></g><g></g><g></g><g></g><g></g></g></svg>
+      <ul>
+        <li id="authorization-li-1">The End-User enters their profile URL in the login form of the client and clicks "Sign in"</li>
+        <li id="authorization-li-2">The client discovers the End-User's authorization endpoint and token endpoint by fetching the profile URL and looking for the <code>rel=authorization_endpoint</code> and <code>rel=token_endpoint</code> values</li>
+        <li id="authorization-li-3">The client builds the authorization request including its client identifier, requested scope, local state, and a redirect URI, and redirects the browser to the authorization endpoint</li>
+        <li id="authorization-li-4">The authorization endpoint fetches the client information from the client identifier URL in order to have an application name and icon to display to the user</li>
+        <li id="authorization-li-5">The authorization endpoint verifies the End-User, e.g. by logging in, and establishes whether the End-User grants or denies the client's request</li>
+        <li id="authorization-li-6">The authorization endpoint generates an authorization code and redirects the browser back to the client, including an authorization code in the URL</li>
+        <li id="authorization-li-7">The client exchanges the authorization code for an access token by making a POST request to the token endpoint. The token endpoint validates the authorization code, and responds with the End-User's canonical profile URL and an access token</li>
+      </ul>
+
+      <p id="authorization-p-2">Note: If the client is only trying to learn who the user is and does not need an access token, the client exchanges the authorization code for the user profile information at the Authorization Endpoint instead.</p>
+
+      <section id="discovery-0">
+        <h3 id="x5-1-discovery"><bdi class="secno">5.1 </bdi>Discovery<a class="self-link" aria-label="§" href="#discovery-0"></a></h3>
+
+        <p id="discovery-0-p-1">After obtaining the End-User's profile URL, the client fetches the URL and looks for the <code>authorization_endpoint</code> and <code>token_endpoint</code> rel values in the HTTP <code>Link</code> headers and HTML <code>&lt;link&gt;</code> tags as described in <a href="#discovery-by-clients" class="sec-ref">§&nbsp;<bdi class="secno">4.1 </bdi>Discovery by Clients</a>.</p>
+
+        <div class="example" id="example-4">
+        <div class="marker">
+    <a class="self-link" href="#example-4">Example<bdi> 4</bdi></a>
+  </div> <pre class="nohighlight">Link: &lt;https://example.org/auth&gt;; rel="authorization_endpoint"
+Link: &lt;https://example.org/token&gt;; rel="token_endpoint"
+
+&lt;link rel="authorization_endpoint" href="https://example.org/auth"&gt;
+&lt;link rel="token_endpoint" href="https://example.org/token"&gt;</pre>
+      </div>
+      </section>
+
+      <section id="authorization-request">
+        <h3 id="x5-2-authorization-request"><bdi class="secno">5.2 </bdi>Authorization Request<a class="self-link" aria-label="§" href="#authorization-request"></a></h3>
+
+          <p id="authorization-request-p-1">The client builds the authorization request URL by starting with the discovered <code>authorization_endpoint</code> URL and adding parameters to the query component.</p>
+
+          <p id="authorization-request-p-2">All IndieAuth clients <em class="rfc2119" title="MUST">MUST</em> use PKCE ([<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7636" title="Proof Key for Code Exchange by OAuth Public Clients">RFC7636</a></cite>]) to protect against authorization code injection and CSRF attacks. A non-canonical description of the PKCE mechanism is described below, but implementers should refer to [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7636" title="Proof Key for Code Exchange by OAuth Public Clients">RFC7636</a></cite>] for details.</p>
+
+          <p id="authorization-request-p-3">Clients use a unique secret per authorization request to protect against authorization code injection and CSRF attacks. The client first generates this secret, which it can later use along with the authorization code to prove that the application using the authorization code is the same application that requested it.</p>
+
+          <p id="authorization-request-p-4">The client first creates a code verifier for each authorization request by generating a random string using the characters <code>[A-Z] / [a-z] / [0-9] / - / . / _ / ~</code> with a minimum length of 43 characters and maximum length of 128 characters. This value is stored on the client and will be used in the authorization code exchange step later.</p>
+
+          <p id="authorization-request-p-5">The client then creates the code challenge derived from the code verifier by calculating the SHA256 hash of the code verifier and Base64-URL-encoding the result.</p>
+
+          <code>code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))</code>
+
+          <p id="authorization-request-p-6">For backwards compatibility, authorization endpoints <em class="rfc2119" title="MAY">MAY</em> accept authorization requests without a code challenge if the authorization server wishes to support older clients.</p>
+
+          <ul>
+            <li id="authorization-request-li-1"><code>response_type=code</code> - Indicates to the authorization server that an authorization code should be returned as the response</li>
+            <li id="authorization-request-li-2"><code>client_id</code> - The client URL</li>
+            <li id="authorization-request-li-3"><code>redirect_uri</code> - The redirect URL indicating where the user should be redirected to after approving the request</li>
+            <li id="authorization-request-li-4"><code>state</code> - A parameter set by the client which will be included when the user is redirected back to the client. This is used to prevent CSRF attacks. The authorization server <em class="rfc2119" title="MUST">MUST</em> return the unmodified state value back to the client.</li>
+            <li id="authorization-request-li-5"><code>code_challenge</code> - The code challenge as previously described.</li>
+            <li id="authorization-request-li-6"><code>code_challenge_method</code> - The hashing method used to calculate the code challenge, e.g. "S256"</li>
+            <li id="authorization-request-li-7"><code>scope</code> - (optional) A space-separated list of scopes the client is requesting, e.g. "profile", or "profile create". If the client omits this value, the authorization server <em class="rfc2119" title="MUST NOT">MUST NOT</em> issue an access token for this authorization code. Only the user's profile URL may be returned without any scope requested. See <a href="#profile-information">Profile Information</a> for details about which scopes to request to return user profile information.</li>
+            <li id="authorization-request-li-8"><code>me</code> - (optional) The profile URL that the user entered</li>
+          </ul>
+
+          <div class="example" id="example-5">
+        <div class="marker">
+    <a class="self-link" href="#example-5">Example<bdi> 5</bdi></a>
+  </div> <pre class="nohighlight">https://example.org/auth?response_type=code&amp;
+                          client_id=https://app.example.com/&amp;
+                          redirect_uri=https://app.example.com/redirect&amp;
+                          state=1234567890&amp;
+                          code_challenge=OfYAxt8zU2dAPDWQxTAUIteRzMsoj9QBdMIVEDOErUo&amp;
+                          code_challenge_method=S256&amp;
+                          scope=profile+create+update+delete&amp;
+                          me=https://user.example.net/</pre>
+      </div>
+
+          <p id="authorization-request-p-7">The client <em class="rfc2119" title="SHOULD">SHOULD</em> provide the <code>me</code> query string parameter to the authorization endpoint, either the exact value the user entered, or the canonical profile URL resulting from the discovery step.</p>
+
+          <p id="authorization-request-p-8">The authorization endpoint <em class="rfc2119" title="SHOULD">SHOULD</em> fetch the <code>client_id</code> URL to retrieve application information and the client's registered redirect URLs, see <a href="#client-information-discovery">Client Information Discovery</a> for more information.</p>
+
+          <p id="authorization-request-p-9">If the URL scheme, host or port of the <code>redirect_uri</code> in the request do not match that of the <code>client_id</code>, then the authorization endpoint <em class="rfc2119" title="SHOULD">SHOULD</em> verify that the requested <code>redirect_uri</code> matches one of the <a href="#redirect-url">redirect URLs</a> published by the client, and <em class="rfc2119" title="SHOULD">SHOULD</em> block the request from proceeding if not.</p>
+
+          <p id="authorization-request-p-10">It is up to the authorization endpoint how to authenticate the user. This step is out of scope of OAuth 2.0, and is highly dependent on the particular implementation. Some authorization servers use typical username/password authentication, and others use alternative forms of authentication such as [<cite><a class="bibref" data-link-type="biblio" href="#bib-relmeauth" title="RelMeAuth">RelMeAuth</a></cite>], or delegate to other identity providers.</p>
+
+          <p id="authorization-request-p-11">The authorization endpoint <em class="rfc2119" title="MAY">MAY</em> use the provided <code>me</code> query component as a hint of which user is attempting to sign in, and to indicate which profile URL the client is expecting in the resulting profile URL response or access token response. This is specifically helpful for authorization endpoints where users have multiple supported profile URLs, so the authorization endpoint can make an informed decision as to which profile URL the user meant to identify as. Note that from the authorization endpoint's view, this value as provided by the client is unverified external data and <em class="rfc2119" title="MUST NOT">MUST NOT</em> be assumed to be valid data at this stage. If the logged-in user doesn't match the provided <code>me</code> parameter by the client, the authorization endpoint <em class="rfc2119" title="MAY">MAY</em> either ignore the <code>me</code> parameter completely or display an error, at the authorization endpoint's discretion.</p>
+
+          <p id="authorization-request-p-12">Once the user is authenticated, the authorization endpoint presents the authorization request to the user. The prompt <em class="rfc2119" title="MUST">MUST</em> indicate which application the user is signing in to, and <em class="rfc2119" title="SHOULD">SHOULD</em> provide as much detail as possible about the request, such as information about the requested scopes.</p>
+
+        <section id="authorization-response">
+          <h4 id="x5-2-1-authorization-response"><bdi class="secno">5.2.1 </bdi>Authorization Response<a class="self-link" aria-label="§" href="#authorization-response"></a></h4>
+
+          <p id="authorization-response-p-1">If the user approves the request, the authorization endpoint generates an authorization code and builds the redirect back to the client.</p>
+
+          <p id="authorization-response-p-2">The redirect is built by starting with the <code>redirect_uri</code> in the request, and adding the following parameters to the query component of the redirect URL:</p>
+
+          <ul>
+            <li id="authorization-response-li-1"><code>code</code> - The authorization code generated by the authorization endpoint. The code <em class="rfc2119" title="MUST">MUST</em> expire shortly after it is issued to mitigate the risk of leaks, and <em class="rfc2119" title="MUST">MUST</em> be valid for only one use. A maximum lifetime of 10 minutes is recommended. See <a href="https://tools.ietf.org/html/rfc6749#section-4.1.2">OAuth 2.0 Section 4.1.2</a> for additional requirements on the authorization code.</li>
+            <li id="authorization-response-li-2"><code>state</code> - The state parameter <em class="rfc2119" title="MUST">MUST</em> be set to the exact value that the client set in the request.</li>
+          </ul>
+
+          <div class="example" id="example-6">
+        <div class="marker">
+    <a class="self-link" href="#example-6">Example<bdi> 6</bdi></a>
+  </div> <pre class="nohighlight">HTTP/1.1 302 Found
+  Location: https://app.example.com/redirect?code=xxxxxxxx
+                                             state=1234567890</pre>
+      </div>
+
+          <p id="authorization-response-p-3">Upon the redirect back to the client, the client <em class="rfc2119" title="MUST">MUST</em> verify that the state parameter in the request is valid and matches the state parameter that it initially created, in order to prevent CSRF attacks. The state value can also store session information to enable development of clients that cannot store data themselves.</p>
+
+          <p id="authorization-response-p-4">See OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>] <a href="https://tools.ietf.org/html/rfc6749#section-4.1.2.1">Section 4.1.2.1</a> for how to indicate errors and other failures to the user and client.</p>
+        </section>
+      </section>
+
+      <section id="redeeming-the-authorization-code">
+        <h3 id="x5-3-redeeming-the-authorization-code"><bdi class="secno">5.3 </bdi>Redeeming the Authorization Code<a class="self-link" aria-label="§" href="#redeeming-the-authorization-code"></a></h3>
+
+        <p id="redeeming-the-authorization-code-p-1">Once the client has obtained an authorization code, it can redeem it for an access token or the user's final profile URL.</p>
+
+        <section id="request">
+          <h4 id="x5-3-1-request"><bdi class="secno">5.3.1 </bdi>Request<a class="self-link" aria-label="§" href="#request"></a></h4>
+
+          <p id="request-p-1">If the client needs an access token in order to make requests to a resource server such as a [<cite><a class="bibref" data-link-type="biblio" href="#bib-micropub" title="Micropub">Micropub</a></cite>] endpoint, it can exchange the authorization code for an access token and the user's profile URL at the <b>token endpoint</b>.</p>
+
+          <p id="request-p-2">If the client only needs to know the user who logged in and does not need to make requests to resource servers with an access token, the client exchanges the authorization code for the user's profile URL at the <b>authorization endpoint</b>.</p>
+
+          <p id="request-p-3">After the client validates the state parameter, the client makes a POST request to the token endpoint or authorization endpoint to exchange the authorization code for the final user profile URL and/or access token. The POST request contains the following parameters:</p>
+
+          <ul>
+            <li id="request-li-1"><code>grant_type=authorization_code</code></li>
+            <li id="request-li-2"><code>code</code> - The authorization code received from the authorization endpoint in the redirect.</li>
+            <li id="request-li-3"><code>client_id</code> - The client's URL, which <em class="rfc2119" title="MUST">MUST</em> match the client_id used in the authentication request.</li>
+            <li id="request-li-4"><code>redirect_uri</code> - The client's redirect URL, which <em class="rfc2119" title="MUST">MUST</em> match the initial authentication request.</li>
+            <li id="request-li-5"><code>code_verifier</code> - The original plaintext random string generated before starting the authorization request.</li>
+          </ul>
+
+          <b>Example request to authorization endpoint</b>
+          <div class="example" id="example-7">
+        <div class="marker">
+    <a class="self-link" href="#example-7">Example<bdi> 7</bdi></a>
+  </div> <pre class="nohighlight">POST https://example.org/auth
+  Content-type: application/x-www-form-urlencoded
+  Accept: application/json
+
+  grant_type=authorization_code
+  &amp;code=xxxxxxxx
+  &amp;client_id=https://app.example.com/
+  &amp;redirect_uri=https://app.example.com/redirect
+  &amp;code_verifier=a6128783714cfda1d388e2e98b6ae8221ac31aca31959e59512c59f5</pre>
+      </div>
+
+          <b>Example request to token endpoint</b>
+          <div class="example" id="example-8">
+        <div class="marker">
+    <a class="self-link" href="#example-8">Example<bdi> 8</bdi></a>
+  </div> <pre class="nohighlight">POST https://example.org/token
+Content-type: application/x-www-form-urlencoded
+Accept: application/json
+
+grant_type=authorization_code
+&amp;code=xxxxxxxx
+&amp;client_id=https://app.example.com/
+&amp;redirect_uri=https://app.example.com/redirect
+&amp;code_verifier=a6128783714cfda1d388e2e98b6ae8221ac31aca31959e59512c59f5</pre>
+      </div>
+        </section>
+
+          <p id="redeeming-the-authorization-code-p-5">Note that for backwards compatibility, the authorization endpoint <em class="rfc2119" title="MAY">MAY</em> allow requests without the <code>code_verifier</code>. If an authorization code was issued with no <code>code_challenge</code> present, then the authorization code exchange <em class="rfc2119" title="MUST NOT">MUST NOT</em> include a <code>code_verifier</code>, and similarly, if an authorization code was issued with a <code>code_challenge</code> present, then the authorization code exchange <em class="rfc2119" title="MUST">MUST</em> include a <code>code_verifier</code>.</p>
+
+        <section id="profile-url-response">
+          <h4 id="x5-3-2-profile-url-response"><bdi class="secno">5.3.2 </bdi>Profile URL Response<a class="self-link" aria-label="§" href="#profile-url-response"></a></h4>
+
+          <p id="profile-url-response-p-1">When the client receives an authorization code that was requested with either no scope or only profile scopes (<a href="#profile-information">defined below</a>), the client will exchange the authorization code at the <b>authorization endpoint</b>, and only the canonical user profile URL and possibly profile information is returned.</p>
+
+          <p id="profile-url-response-p-2">The authorization endpoint verifies that the authorization code is valid, has not yet been used, and that it was issued for the matching <code>client_id</code> and <code>redirect_uri</code>, and checks that the provided <code>code_verifier</code> hashes to the same value as given in the <code>code_challenge</code> in the original authorization request. If the request is valid, then the endpoint responds with a JSON [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7159" title="The JavaScript Object Notation (JSON) Data Interchange Format">RFC7159</a></cite>] object containing the property <code>me</code>, with the canonical user profile URL for the user who signed in, and optionally the property <code>profile</code> with the user's profile information as defined in <a href="#profile-information">Profile Information</a>.</p>
+
+          <div class="example" id="example-9">
+        <div class="marker">
+    <a class="self-link" href="#example-9">Example<bdi> 9</bdi></a>
+  </div> <pre class="nohighlight">HTTP/1.1 200 OK
+  Content-Type: application/json
+
+  {
+    "me": "https://user.example.net/"
+  }</pre>
+      </div>
+
+          <p id="profile-url-response-p-3">The resulting profile URL <em class="rfc2119" title="MAY">MAY</em> be different from canonical profile URL as resolved by the client, but <em class="rfc2119" title="MUST">MUST</em> be on the same domain. This gives the authorization endpoint an opportunity to canonicalize the user's URL, such as correcting <code>http</code> to <code>https</code>, or adding a path if required. See <a href="#redirect-examples">Redirect Examples</a> for an example of how a service can allow a user to enter a URL on a domain different from their resulting <code>me</code> profile URL, and see <a href="#differing-user-profile-urls">Differing User Profile URLs</a> for security considerations client developers should be aware of..</p>
+
+          <p id="profile-url-response-p-4">See OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>] <a href="https://tools.ietf.org/html/rfc6749#section-5.2">Section 5.2</a> for how to respond in the case of errors or other failures.</p>
+        </section>
+
+        <section id="access-token-response">
+          <h4 id="x5-3-3-access-token-response"><bdi class="secno">5.3.3 </bdi>Access Token Response<a class="self-link" aria-label="§" href="#access-token-response"></a></h4>
+
+          <p id="access-token-response-p-1">When the client receives an authorization code that was requested with one or more scopes that will result in an access token being returned, the client will exchange the authorization code at the <b>token endpoint</b>.</p>
+
+          <p id="access-token-response-p-2">The token endpoint needs to verify that the authorization code is valid, and that it was issued for the matching <code>client_id</code> and <code>redirect_uri</code>, contains at least one <code>scope</code>, and checks that the provided <code>code_verifier</code> hashes to the same value as given in the <code>code_challenge</code> in the original authorization request. If the authorization code was issued with no <code>scope</code>, the token endpoint <em class="rfc2119" title="MUST NOT">MUST NOT</em> issue an access token, as empty scopes are invalid per Section 3.3 of OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>].</p>
+
+          <p id="access-token-response-p-3">The specifics of how the token endpoint verifies the authorization code are out of scope of this document, as typically the authorization endpoint and token endpoint are part of the same system and can share storage or another private communication mechanism.</p>
+
+          <p id="access-token-response-p-4">If the request is valid, then the token endpoint can generate an access token and return the appropriate response. The token response is a JSON [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7159" title="The JavaScript Object Notation (JSON) Data Interchange Format">RFC7159</a></cite>] object containing the OAuth 2.0 Bearer Token [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6750" title="The OAuth 2.0 Authorization Framework: Bearer Token Usage">RFC6750</a></cite>], as well as a property <code>me</code>, containing the canonical user profile URL for the user this access token corresponds to, and optionally the property <code>profile</code> with the user's profile information as defined in <a href="#profile-information">Profile Information</a>. For example:</p>
+
+          <div class="example" id="example-10">
+        <div class="marker">
+    <a class="self-link" href="#example-10">Example<bdi> 10</bdi></a>
+  </div> <pre class="nohighlight">HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+  "access_token": "XXXXXX",
+  "token_type": "Bearer",
+  "scope": "create update delete",
+  "me": "https://user.example.net/"
+}</pre>
+      </div>
+
+          <p id="access-token-response-p-5">The resulting profile URL <em class="rfc2119" title="MAY">MAY</em> be different from the canonical profile URL as resolved by the client, but <em class="rfc2119" title="MUST">MUST</em> be on the same domain. This provides the opportunity to canonicalize the user's URL, such as correcting <code>http</code> to <code>https</code>, or adding a path if required. See <a href="#redirect-examples">Redirect Examples</a> for an example of how a service can allow a user to enter a URL on a domain different from their resulting <code>me</code> profile URL.</p>
+
+          <p id="access-token-response-p-6">See OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>] <a href="https://tools.ietf.org/html/rfc6749#section-5.2">Section 5.2</a> for how to respond in the case of errors or other failures.</p>
+        </section>
+
+        <section id="profile-information">
+          <h4 id="x5-3-4-profile-information"><bdi class="secno">5.3.4 </bdi>Profile Information<a class="self-link" aria-label="§" href="#profile-information"></a></h4>
+
+          <h5 id="requesting-profile-information">Requesting Profile Information<a class="self-link" aria-label="§" href="#profile-information"></a></h5>
+
+          <p id="profile-information-p-1">If the client would like to request the user's profile information in addition to confirming their profile URL, the client can include one or more scopes in the initial authorization request. The following <code>scope</code> values are defined by this specification to request profile information about the user:</p>
+
+          <ul>
+            <li id="profile-information-li-1"><code>profile</code> (required) - This scope requests access to the user's default profile information which include the following properties: <code>name</code>, <code>photo</code>, <code>url</code>.</li>
+            <li id="profile-information-li-2"><code>email</code> - This scope requests access to the user's email address in the following property: <code>email</code>.</li>
+          </ul>
+
+          <p id="profile-information-p-2">Note that because the <code>profile</code> scope is required when requesting profile information, the <code>email</code> scope cannot be requested on its own and must be requested along with the <code>profile</code> scope if desired.</p><p id="profile-information-p-3">
+
+          </p><p id="profile-information-p-4">When an authorization code is issued with any of the scopes defined above, then the response when exchanging the authorization code <em class="rfc2119" title="MAY">MAY</em> include a new property, <code>profile</code>, alongside the <code>me</code> property in the response from the authorization endpoint or the token endpoint. The <code>profile</code> property is defined as a JSON [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7159" title="The JavaScript Object Notation (JSON) Data Interchange Format">RFC7159</a></cite>] object with the properties defined by each scope above.</p>
+
+          <p id="profile-information-p-5">For example, a complete response to a request with the scopes <code>profile email create</code>, including an access token and profile information, may look like the following:</p>
+
+          <div class="example" id="example-11">
+        <div class="marker">
+    <a class="self-link" href="#example-11">Example<bdi> 11</bdi></a>
+  </div> <pre class="nohighlight">HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+  "access_token": "XXXXXX",
+  "token_type": "Bearer",
+  "scope": "profile email create",
+  "me": "https://user.example.net/",
+  "profile": {
+    "name": "Example User",
+    "url": "https://user.example.net/",
+    "photo": "https://user.example.net/photo.jpg",
+    "email": "user@example.net"
+  }
+}</pre>
+      </div>
+
+          <p id="profile-information-p-6">As is always the case with OAuth 2.0, there is no guarantee that the scopes the client requests will be granted by the authorization server or the user. The client should not rely on the presence of profile information even when requesting the profile scope. As such, implementing support for returning profile information from the authorization server is entirely optional.</p>
+
+          <p id="profile-information-p-7">The information returned in the <code>profile</code> object is informational, and there is no guarantee that this information is "real" or "verified". The information provided is only what the user has chosen to share with the client, and may even vary depending on which client is requesting this data.</p>
+
+          <p id="profile-information-p-8">The client <em class="rfc2119" title="MUST NOT">MUST NOT</em> treat the information in the <code>profile</code> object as canonical or authoritative, and <em class="rfc2119" title="MUST NOT">MUST NOT</em> make any authentication or identification decisions based on this information.</p>
+
+          <p id="profile-information-p-9">For example, attempting to use the <code>email</code> returned in the profile object as a user identifier will lead to security holes, as any user can create an authorization endpoint that returns any email address in the profile response. A client using the email address returned here should treat it the same as if it had been hand-entered in the client application and go through its own verification process before using it.</p>
+
+          <p id="profile-information-p-10">Similarly, the <code>url</code> returned in the <code>profile</code> object is not guaranteed to match the <code>me</code> URL, and may even be on a different domain. For example, a multi-author website may use the website's URL as the <code>me</code> URL, but return each specific author's own personal website in the profile data.</p>
+
+        </section>
+
+      </section>
+
+    </section>
+
+    <section class="normative" id="access-token-verification">
+      <h2 id="x6-access-token-verification"><bdi class="secno">6. </bdi>Access Token Verification<a class="self-link" aria-label="§" href="#access-token-verification"></a></h2>
+
+      <p id="access-token-verification-p-1">In OAuth 2.0, access tokens are opaque to clients, so clients do not need to know anything about the contents or structure of the token itself. Additionally, endpoints that clients make requests to, such as [<cite><a class="bibref" data-link-type="biblio" href="#bib-micropub" title="Micropub">Micropub</a></cite>] endpoints, may not even understand how to interpret tokens if they were issued by a standalone token endpoint. If the token endpoint is not tightly integrated with the resource server the client is interacting with, then the resource server needs a way to verify access tokens that it receives from clients. If the token endpoint and Micropub endpoint are tightly coupled, then they can of course use an internal mechanism to verify access tokens.</p>
+
+      <p id="access-token-verification-p-2">Token endpoints that intend to interoperate with other endpoints <em class="rfc2119" title="MUST">MUST</em> use the mechanism described below to allow resource servers such as Micropub endpoints to verify access tokens.</p>
+
+      <section id="access-token-verification-request">
+        <h3 id="x6-1-access-token-verification-request"><bdi class="secno">6.1 </bdi>Access Token Verification Request<a class="self-link" aria-label="§" href="#access-token-verification-request"></a></h3>
+
+        <p id="access-token-verification-request-p-1">If a resource server needs to verify that an access token is valid, it <em class="rfc2119" title="MUST">MUST</em> make a GET request to the token endpoint containing an HTTP <code>Authorization</code> header with the Bearer Token according to [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6750" title="The OAuth 2.0 Authorization Framework: Bearer Token Usage">RFC6750</a></cite>]. Note that the request to the endpoint will not contain any user-identifying information, so the resource server (e.g. Micropub endpoint) will need to know via out-of-band methods which token endpoint is in use.</p>
+
+        <div class="example" id="example-12">
+        <div class="marker">
+    <a class="self-link" href="#example-12">Example<bdi> 12</bdi></a>
+  </div> <pre class="nohighlight">GET https://example.org/token
+  Authorization: Bearer xxxxxxxx
+  Accept: application/json</pre>
+      </div>
+      </section>
+
+      <section id="access-token-verification-response">
+        <h3 id="x6-2-access-token-verification-response"><bdi class="secno">6.2 </bdi>Access Token Verification Response<a class="self-link" aria-label="§" href="#access-token-verification-response"></a></h3>
+
+        <p id="access-token-verification-response-p-1">The token endpoint verifies the access token (how this verification is done is up to the implementation), and returns information about the token:</p>
+
+        <ul>
+          <li id="access-token-verification-response-li-1"><code>me</code> - The profile URL of the user corresponding to this token</li>
+          <li id="access-token-verification-response-li-2"><code>client_id</code> - The client ID associated with this token</li>
+          <li id="access-token-verification-response-li-3"><code>scope</code> - A space-separated list of scopes associated with this token</li>
+        </ul>
+
+        <div class="example" id="example-13">
+        <div class="marker">
+    <a class="self-link" href="#example-13">Example<bdi> 13</bdi></a>
+  </div> <pre class="nohighlight">HTTP/1.1 200 OK
+  Content-Type: application/json
+
+  {
+  "me": "https://user.example.net/",
+  "client_id": https://app.example.com/",
+  "scope": "create update delete"
+  }</pre>
+      </div>
+
+        <p id="access-token-verification-response-p-2">Specific implementations <em class="rfc2119" title="MAY">MAY</em> include additional parameters as top-level JSON properties. Clients <em class="rfc2119" title="SHOULD">SHOULD</em> ignore parameters they don't recognize.</p>
+
+        <p id="access-token-verification-response-p-3">If the token is not valid, the endpoint <em class="rfc2119" title="MUST">MUST</em> return an appropriate HTTP 400, 401 or 403 response. The response body is not significant.</p>
+      </section>
+    </section>
+
+    <section class="normative" id="token-revocation">
+      <h2 id="x7-token-revocation"><bdi class="secno">7. </bdi>Token Revocation<a class="self-link" aria-label="§" href="#token-revocation"></a></h2>
+
+      <p id="token-revocation-p-1">A client may wish to explicitly disable an access token that it has obtained, such as when the user signs out of the client. IndieAuth extends OAuth 2.0 Token Revocation [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7009" title="OAuth 2.0 Token Revocation">RFC7009</a></cite>] by defining the following:</p>
+
+      <ul>
+        <li id="token-revocation-li-1">The revocation endpoint is the same as the token endpoint.</li>
+        <li id="token-revocation-li-2">The revocation request includes an additional parameter, <code>action=revoke</code>.</li>
+      </ul>
+
+      <section id="token-revocation-request">
+        <h3 id="x7-1-token-revocation-request"><bdi class="secno">7.1 </bdi>Token Revocation Request<a class="self-link" aria-label="§" href="#token-revocation-request"></a></h3>
+
+        <p id="token-revocation-request-p-1">An example revocation request is below.</p>
+
+        <div class="example" id="example-14">
+        <div class="marker">
+    <a class="self-link" href="#example-14">Example<bdi> 14</bdi></a>
+  </div> <pre class="nohighlight">POST https://example.org/token HTTP/1.1
+  Content-Type: application/x-www-form-urlencoded
+  Accept: application/json
+
+  action=revoke
+  &amp;token=xxxxxxxx</pre>
+      </div>
+
+        <p id="token-revocation-request-p-2">As described in [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7009" title="OAuth 2.0 Token Revocation">RFC7009</a></cite>], the revocation endpoint responds with HTTP 200 for both the case where the token was successfully revoked, or if the submitted token was invalid.</p>
+      </section>
+    </section>
+
+
+    <section id="security-considerations">
+      <h2 id="x8-security-considerations"><bdi class="secno">8. </bdi>Security Considerations<a class="self-link" aria-label="§" href="#security-considerations"></a></h2>
+
+      <p id="security-considerations-p-1">In addition to the security considerations in OAuth 2.0 Core [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>] and OAuth 2.0 Threat Model and Security Considerations [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6819" title="OAuth 2.0 Threat Model and Security Considerations">RFC6819</a></cite>], the additional considerations apply.</p>
+
+      <section id="differing-user-profile-urls">
+        <h3 id="x8-1-differing-user-profile-urls"><bdi class="secno">8.1 </bdi>Differing User Profile URLs<a class="self-link" aria-label="§" href="#differing-user-profile-urls"></a></h3>
+
+        <p id="differing-user-profile-urls-p-1">Clients will initially prompt the user for their profile URL in order to discover the necessary endpoints to perform authentication or authorization. However, there may be slight differences between the URL that the user initially enters vs what the system considers the user's canonical profile URL.</p>
+
+        <p id="differing-user-profile-urls-p-2">For example, a user might enter <code>user.example.net</code> in a login interface, and the client may assume a default scheme of <code>http</code>, providing an initial profile URL of <code>http://user.example.net</code>. Once the authentication or authorization flow is complete, the response in the <code>me</code> parameter might be the canonical <code>https://user.example.net/</code>. In some cases, user profile URLs have a full path component such as <code>https://example.net/username</code>, but users may enter just <code>example.net</code> in the login interface.</p>
+
+        <p id="differing-user-profile-urls-p-3">Upon validation, clients <em class="rfc2119" title="MUST">MUST</em> check the <code>me</code> value from the <a href="#profile-url-response">profile URL response</a> or <a href="#access-token-response">access token response</a>, and take the following validation steps:</p>
+
+        <ol>
+          <li id="differing-user-profile-urls-li-1">It <em class="rfc2119" title="MUST">MUST</em> follow any permanent redirections from this URL to discover the canonical profile URL, in the same manner as <a href="#discovery-by-clients">initial profile URL discovery</a>.</li>
+          <li id="differing-user-profile-urls-li-2">It <em class="rfc2119" title="MUST">MUST</em> verify that the canonical profile URL is on the same domain as the initially-entered profile URL.</li>
+          <li id="differing-user-profile-urls-li-3">It <em class="rfc2119" title="MUST">MUST</em> verify that the canonical profile URL declares the same <code>authorization_endpoint</code> as the initially-entered profile URL.</li>
+        </ol>
+
+        <p id="differing-user-profile-urls-p-4">These steps ensure that an authorization endpoint is not able to issue valid responses for arbitrary profile URLs, and that users on a shared domain cannot forge authorization on behalf of other users of that domain.</p>
+
+      </section>
+
+      <section id="preventing-phishing-and-redirect-attacks">
+        <h3 id="x8-2-preventing-phishing-and-redirect-attacks"><bdi class="secno">8.2 </bdi>Preventing Phishing and Redirect Attacks<a class="self-link" aria-label="§" href="#preventing-phishing-and-redirect-attacks"></a></h3>
+
+        <p id="preventing-phishing-and-redirect-attacks-p-1">Authorization servers <em class="rfc2119" title="SHOULD">SHOULD</em> fetch the <code>client_id</code> provided in the authentication or authorization request in order to provide users with additional information about the request, such as the application name and logo. If the server does not fetch the client information, then it <em class="rfc2119" title="SHOULD">SHOULD</em> take additional measures to ensure the user is provided with as much information as possible about the request.</p>
+
+        <p id="preventing-phishing-and-redirect-attacks-p-2">The authorization server <em class="rfc2119" title="SHOULD">SHOULD</em> display the full <code>client_id</code> on the authorization interface, in addition to displaying the fetched application information if any. Displaying the <code>client_id</code> helps users know that they are authorizing the expected application.</p>
+
+        <p id="preventing-phishing-and-redirect-attacks-p-3">Since all IndieAuth clients are public clients, and no client authentication is used, the only measure available to protect against some attacks described in [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6819" title="OAuth 2.0 Threat Model and Security Considerations">RFC6819</a></cite>] is strong verification of the client's <code>redirect_uri</code>. If the <code>redirect_uri</code> scheme, host or port differ from that of the <code>client_id</code>, then the authorization server <em class="rfc2119" title="MUST">MUST</em> either verify the redirect URL as described in <a href="#redirect-url">Redirect URL</a>, or display the redirect URL to the user so they can inspect it manually.</p>
+      </section>
+
+    </section>
+
+    <section id="iana-considerations">
+      <h2 id="x9-iana-considerations"><bdi class="secno">9. </bdi>IANA Considerations<a class="self-link" aria-label="§" href="#iana-considerations"></a></h2>
+
+      <p id="iana-considerations-p-1">The link relation types below are documented to be registered by IANA per Section 6.2.1 of [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc8288" title="Web Linking">RFC8288</a></cite>]:</p>
+
+      <dl>
+        <dt>Relation Name:</dt>
+        <dd>authorization_endpoint</dd>
+
+        <dt>Description:</dt>
+        <dd>Used for discovery of the OAuth 2.0 authorization endpoint given an IndieAuth profile URL.</dd>
+
+        <dt>Reference:</dt>
+        <dd><a href="https://indieauth.spec.indieweb.org/">IndieAuth Specification (https://indieauth.spec.indieweb.org/)</a></dd>
+      </dl>
+
+      <dl>
+        <dt>Relation Name:</dt>
+        <dd>token_endpoint</dd>
+
+        <dt>Description:</dt>
+        <dd>Used for discovery of the OAuth 2.0 token endpoint given an IndieAuth profile URL.</dd>
+
+        <dt>Reference:</dt>
+        <dd><a href="https://indieauth.spec.indieweb.org/">IndieAuth Specification (https://indieauth.spec.indieweb.org/)</a></dd>
+      </dl>
+
+      <dl>
+        <dt>Relation Name:</dt>
+        <dd>redirect_uri</dd>
+
+        <dt>Description:</dt>
+        <dd>Used for discovery of the OAuth 2.0 redirect URI given an IndieAuth client ID.</dd>
+
+        <dt>Reference:</dt>
+        <dd><a href="https://indieauth.spec.indieweb.org/">IndieAuth Specification (https://indieauth.spec.indieweb.org/)</a></dd>
+      </dl>
+    </section>
+
+    
+
+    <section class="appendix informative" id="resources">
+      <h2 id="a-resources"><bdi class="secno">A. </bdi>Resources<a class="self-link" aria-label="§" href="#resources"></a></h2><p id="resources-p-1"><em>This section is non-normative.</em></p>
+
+      <p id="resources-p-2">
+        </p><ul>
+          
+          <li id="resources-li-1"><a href="https://indieweb.org/Category:IndieAuth">More IndieAuth resources</a></li>
+          <li id="resources-li-2"><a href="https://indieweb.org/obtaining-an-access-token">Implementation guide for obtaining an access token using IndieAuth</a></li>
+          <li id="resources-li-3"><a href="https://indieweb.org/indieauth-for-login">Implementation guide for authenticating users without obtaining an access token</a></li>
+        </ul>
+      <p id="resources-p-3"></p>
+
+      <section class="appendix informative" id="articles">
+        <h3 id="a-1-articles"><bdi class="secno">A.1 </bdi>Articles<a class="self-link" aria-label="§" href="#articles"></a></h3><p id="articles-p-1"><em>This section is non-normative.</em></p>
+
+        <p id="articles-p-2">You can find a list of <a href="https://indieweb.org/IndieAuth#Articles">articles about IndieAuth</a> on the IndieWeb wiki.</p>
+      </section>
+
+      <section class="appendix informative" id="implementations">
+        <h3 id="a-2-implementations"><bdi class="secno">A.2 </bdi>Implementations<a class="self-link" aria-label="§" href="#implementations"></a></h3><p id="implementations-p-1"><em>This section is non-normative.</em></p>
+
+        <p id="implementations-p-2">You can find a list of <a href="https://indieauth.net/implementations">IndieAuth implementations</a> on indieauth.net</p>
+      </section>
+
+    </section>
+
+    <section class="appendix" id="acknowledgements">
+      <h2 id="b-acknowledgements"><bdi class="secno">B. </bdi>Acknowledgements<a class="self-link" aria-label="§" href="#acknowledgements"></a></h2>
+
+      <p id="acknowledgements-p-1">The editor wishes to thank the <a href="https://indieweb.org/">IndieWeb</a>
+        community and other implementers for their support, encouragement and enthusiasm,
+        including but not limited to: Amy Guy, Barnaby Walters, Benjamin Roberts, Bret Comnes, Christian Weiske, Dmitri Shuralyov, François Kooman, Jeena Paradies, Martijn van der Ven, Sebastiaan Andeweg, Sven Knebel, and Tantek Çelik.</p>
+    </section>
+
+    <section class="appendix informative" id="change-log">
+      <h2 id="c-change-log"><bdi class="secno">C. </bdi>Change Log<a class="self-link" aria-label="§" href="#change-log"></a></h2><p id="change-log-p-1"><em>This section is non-normative.</em></p>
+
+      <section id="changes-from-09-august-2020-to-this-version">
+        <h3 id="c-1-changes-from-09-august-2020-to-this-version"><bdi class="secno">C.1 </bdi>Changes from 09 August 2020 to this version<a class="self-link" aria-label="§" href="#changes-from-09-august-2020-to-this-version"></a></h3>
+        <ul>
+          <li id="changes-from-09-august-2020-to-this-version-li-1">Make the <code>me</code> parameter optional (but recommended) in the authorization request</li>
+          <li id="changes-from-09-august-2020-to-this-version-li-2">Add the option of returning profile information in the response as well as defining profile scopes</li>
+          <li id="changes-from-09-august-2020-to-this-version-li-3">Incorporate PKCE into the spec</li>
+          <li id="changes-from-09-august-2020-to-this-version-li-4">Fixed text about which URL to resolve relative authorization/token endpoint URLs from</li>
+        </ul>
+      </section>
+
+      <section id="changes-from-25-january-2020-to-09-august-2020">
+        <h3 id="c-2-changes-from-25-january-2020-to-09-august-2020"><bdi class="secno">C.2 </bdi>Changes from 25 January 2020 to 09 August 2020<a class="self-link" aria-label="§" href="#changes-from-25-january-2020-to-09-august-2020"></a></h3>
+        <ul>
+          <li id="changes-from-25-january-2020-to-09-august-2020-li-1">Drop the <code>me</code> parameter from the token endpoint request</li>
+          <li id="changes-from-25-january-2020-to-09-august-2020-li-2">Consolidate the authentication and authorization sections into a single section, describing only the difference which is the response returned.</li>
+          <li id="changes-from-25-january-2020-to-09-august-2020-li-3">Drop the section describing communication between token endpoints and authorization endpoints as it was underused</li>
+          <li id="changes-from-25-january-2020-to-09-august-2020-li-4">Editorial changes and rearranging sections</li>
+        </ul>
+      </section>
+
+      <section id="changes-from-03-march-2019-to-25-january-2020">
+        <h3 id="c-3-changes-from-03-march-2019-to-25-january-2020"><bdi class="secno">C.3 </bdi>Changes from 03 March 2019 to 25 January 2020<a class="self-link" aria-label="§" href="#changes-from-03-march-2019-to-25-january-2020"></a></h3>
+        <ul>
+          <li id="changes-from-03-march-2019-to-25-january-2020-li-1">Use "authentication" and "authorization" more consistently in paragraphs and diagrams</li>
+          <li id="changes-from-03-march-2019-to-25-january-2020-li-2">Clarify that "Authorization Code Flow" is "OAuth 2.0 Authorization Code Flow"</li>
+          <li id="changes-from-03-march-2019-to-25-january-2020-li-3">Minor typo fixes</li>
+        </ul>
+      </section>
+
+      <section id="changes-from-07-july-2018-to-03-march-2019">
+        <h3 id="c-4-changes-from-07-july-2018-to-03-march-2019"><bdi class="secno">C.4 </bdi>Changes from 07 July 2018 to 03 March 2019<a class="self-link" aria-label="§" href="#changes-from-07-july-2018-to-03-march-2019"></a></h3>
+        <ul>
+          <li id="changes-from-07-july-2018-to-03-march-2019-li-1">Updates the spec header to note that it is a living standard</li>
+          <li id="changes-from-07-july-2018-to-03-march-2019-li-2">Minor typo fixes</li>
+        </ul>
+      </section>
+
+      <section id="changes-from-23-january-2018-to-07-july-2018">
+        <h3 id="c-5-changes-from-23-january-2018-to-07-july-2018"><bdi class="secno">C.5 </bdi>Changes from <a href="https://www.w3.org/TR/2018/NOTE-indieauth-20180123/">23 January 2018</a> to 07 July 2018<a class="self-link" aria-label="§" href="#changes-from-23-january-2018-to-07-july-2018"></a></h3>
+        <ul>
+          <li id="changes-from-23-january-2018-to-07-july-2018-li-1">Replaced references to RFC 5988 with RFC 8288 (<a href="https://github.com/indieweb/indieauth/commit/69d1d51e9541d8b76233793099b359de898a7154">diff</a>)</li>
+          <li id="changes-from-23-january-2018-to-07-july-2018-li-2">Added <code>Accept: application/json</code> header to example requests (<a href="https://github.com/indieweb/indieauth/commit/bfa39332ea3a38ff31efb7101db5b20f2ecbaff7">diff</a>)</li>
+        </ul>
+      </section>
+
+      <section id="changes-from-07-july-2018-to-03-march-2019-0">
+        <h3 id="c-6-changes-from-07-july-2018-to-03-march-2019"><bdi class="secno">C.6 </bdi>Changes from 07 July 2018 to 03 March 2019<a class="self-link" aria-label="§" href="#changes-from-07-july-2018-to-03-march-2019-0"></a></h3>
+
+        <ul>
+          <li id="changes-from-07-july-2018-to-03-march-2019-0-li-1">Added missing ampersand in HTTP redirect example (<a href="https://github.com/indieweb/indieauth/commit/ffaf128e01712ca38f3a7dd412749c2bf2f1c99a">diff</a>)</li>
+          <li id="changes-from-07-july-2018-to-03-march-2019-0-li-2">Fixed broken references section (<a href="https://github.com/indieweb/indieauth/commit/7f90282274d2703363265d0914b90ce7be8ac0b6">diff</a>)</li>
+          <li id="changes-from-07-july-2018-to-03-march-2019-0-li-3">Fixed internal link to redirect examples (<a href="https://github.com/indieweb/indieauth/commit/e3eef35c2d16e4a4a00767c8da4ac55ad02d7bc0">diff</a>)</li>
+        </ul>
+      </section>
+    </section>
+
+    <script>
+    // After text is selected (mouseup), find the closest element that has an ID
+    // attribute, and update the browser location bar to include that as the fragment
+    document.body.onmouseup = function(){
+      var selection;
+      if(selection=window.getSelection()) {
+        var range = selection.getRangeAt(0);
+        var el = range.startContainer;
+        while((el=el.parentElement) && !el.attributes["id"]);
+        var hash = el.attributes["id"].value;
+        if(history.replaceState) {
+          history.replaceState(null, null, "#"+hash);
+        }
+      }
+    };
+    </script>
+  
+
+<section id="references" class="appendix"><h2 id="d-references"><bdi class="secno">D. </bdi>References<a class="self-link" aria-label="§" href="#references"></a></h2><section id="normative-references">
+      <h3 id="d-1-normative-references"><bdi class="secno">D.1 </bdi>
+        Normative references
+      <a class="self-link" aria-label="§" href="#normative-references"></a></h3>
+    <dl class="bibliography">
+      <dt id="bib-fetch">[Fetch]</dt><dd><a href="https://fetch.spec.whatwg.org/"><cite>Fetch Standard</cite></a>. Anne van Kesteren.  WHATWG. Living Standard. URL: <a href="https://fetch.spec.whatwg.org/">https://fetch.spec.whatwg.org/</a></dd><dt id="bib-h-app">[h-app]</dt><dd><a href="https://microformats.org/wiki/h-app"><cite>h-app</cite></a>. Aaron Parecki.  microformats.org. Living Specification. URL: <a href="https://microformats.org/wiki/h-app">https://microformats.org/wiki/h-app</a></dd><dt id="bib-html">[HTML]</dt><dd><a href="https://html.spec.whatwg.org/multipage/"><cite>HTML Standard</cite></a>. Anne van Kesteren; Domenic Denicola; Ian Hickson; Philip Jägenstedt; Simon Pieters.  WHATWG. Living Standard. URL: <a href="https://html.spec.whatwg.org/multipage/">https://html.spec.whatwg.org/multipage/</a></dd><dt id="bib-rfc2119">[RFC2119]</dt><dd><a href="https://tools.ietf.org/html/rfc2119"><cite>Key words for use in RFCs to Indicate Requirement Levels</cite></a>. S. Bradner.  IETF. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a></dd><dt id="bib-rfc6749">[RFC6749]</dt><dd><a href="https://tools.ietf.org/html/rfc6749"><cite>The OAuth 2.0 Authorization Framework</cite></a>. D. Hardt, Ed..  IETF. October 2012. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc6749">https://tools.ietf.org/html/rfc6749</a></dd><dt id="bib-rfc6750">[RFC6750]</dt><dd><a href="https://tools.ietf.org/html/rfc6750"><cite>The OAuth 2.0 Authorization Framework: Bearer Token Usage</cite></a>. M. Jones; D. Hardt.  IETF. October 2012. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc6750">https://tools.ietf.org/html/rfc6750</a></dd><dt id="bib-rfc7009">[RFC7009]</dt><dd><a href="https://tools.ietf.org/html/rfc7009"><cite>OAuth 2.0 Token Revocation</cite></a>. T. Lodderstedt, Ed.; S. Dronia; M. Scurtescu.  IETF. August 2013. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7009">https://tools.ietf.org/html/rfc7009</a></dd><dt id="bib-rfc7159">[RFC7159]</dt><dd><a href="https://tools.ietf.org/html/rfc7159"><cite>The JavaScript Object Notation (JSON) Data Interchange Format</cite></a>. T. Bray, Ed..  IETF. March 2014. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7159">https://tools.ietf.org/html/rfc7159</a></dd><dt id="bib-rfc7231">[RFC7231]</dt><dd><a href="https://httpwg.org/specs/rfc7231.html"><cite>Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</cite></a>. R. Fielding, Ed.; J. Reschke, Ed..  IETF. June 2014. Proposed Standard. URL: <a href="https://httpwg.org/specs/rfc7231.html">https://httpwg.org/specs/rfc7231.html</a></dd><dt id="bib-rfc7636">[RFC7636]</dt><dd><a href="https://tools.ietf.org/html/rfc7636"><cite>Proof Key for Code Exchange by OAuth Public Clients</cite></a>. N. Sakimura, Ed.; J. Bradley; N. Agarwal.  IETF. September 2015. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7636">https://tools.ietf.org/html/rfc7636</a></dd><dt id="bib-rfc8288">[RFC8288]</dt><dd><a href="https://httpwg.org/specs/rfc8288.html"><cite>Web Linking</cite></a>. M. Nottingham.  IETF. October 2017. Proposed Standard. URL: <a href="https://httpwg.org/specs/rfc8288.html">https://httpwg.org/specs/rfc8288.html</a></dd><dt id="bib-url">[URL]</dt><dd><a href="https://url.spec.whatwg.org/"><cite>URL Standard</cite></a>. Anne van Kesteren.  WHATWG. Living Standard. URL: <a href="https://url.spec.whatwg.org/">https://url.spec.whatwg.org/</a></dd>
+    </dl></section><section id="informative-references">
+      <h3 id="d-2-informative-references"><bdi class="secno">D.2 </bdi>
+        Informative references
+      <a class="self-link" aria-label="§" href="#informative-references"></a></h3>
+    <dl class="bibliography">
+      <dt id="bib-micropub">[Micropub]</dt><dd><a href="https://www.w3.org/TR/micropub/"><cite>Micropub</cite></a>. Aaron Parecki.  W3C. 23 May 2017. W3C Recommendation. URL: <a href="https://www.w3.org/TR/micropub/">https://www.w3.org/TR/micropub/</a></dd><dt id="bib-relmeauth">[RelMeAuth]</dt><dd><a href="https://microformats.org/wiki/RelMeAuth"><cite>RelMeAuth</cite></a>. Tantek Çelik.  microformats.org. Living Specification. URL: <a href="https://microformats.org/wiki/RelMeAuth">https://microformats.org/wiki/RelMeAuth</a></dd><dt id="bib-rfc6819">[RFC6819]</dt><dd><a href="https://tools.ietf.org/html/rfc6819"><cite>OAuth 2.0 Threat Model and Security Considerations</cite></a>. T. Lodderstedt, Ed.; M. McGloin; P. Hunt.  IETF. January 2013. Informational. URL: <a href="https://tools.ietf.org/html/rfc6819">https://tools.ietf.org/html/rfc6819</a></dd>
+    </dl></section></section><p role="navigation" id="back-to-top">
+    <a href="#title"><abbr title="Back to Top">↑</abbr></a>
+  </p><script src="https://www.w3.org/scripts/TR/2016/fixup.js"></script></body></html>
\ No newline at end of file
diff --git a/public/spec/index.html b/public/spec/index.html
index 956a1c4..f246e0b 100644
--- a/public/spec/index.html
+++ b/public/spec/index.html
@@ -13,11 +13,11 @@
         verify the identity of an End-User, as well as to obtain an access
         token that can be used to access resources under the control of the End-User."><link rel="canonical" href="https://www.w3.org/TR/indieauth/"><style>.hljs{display:block;overflow-x:auto;padding:.5em;color:#383a42;background:#fafafa}.hljs-comment,.hljs-quote{color:#717277;font-style:italic}.hljs-doctag,.hljs-formula,.hljs-keyword{color:#a626a4}.hljs-deletion,.hljs-name,.hljs-section,.hljs-selector-tag,.hljs-subst{color:#ca4706;font-weight:700}.hljs-literal{color:#0b76c5}.hljs-addition,.hljs-attribute,.hljs-meta-string,.hljs-regexp,.hljs-string{color:#42803c}.hljs-built_in,.hljs-class .hljs-title{color:#9a6a01}.hljs-attr,.hljs-number,.hljs-selector-attr,.hljs-selector-class,.hljs-selector-pseudo,.hljs-template-variable,.hljs-type,.hljs-variable{color:#986801}.hljs-bullet,.hljs-link,.hljs-meta,.hljs-selector-id,.hljs-symbol,.hljs-title{color:#336ae3}.hljs-emphasis{font-style:italic}.hljs-strong{font-weight:700}.hljs-link{text-decoration:underline}</style><style>var{position:relative;cursor:pointer}var[data-type]::after,var[data-type]::before{position:absolute;left:50%;top:-6px;opacity:0;transition:opacity .4s;pointer-events:none}var[data-type]::before{content:"";transform:translateX(-50%);border-width:4px 6px 0 6px;border-style:solid;border-color:transparent;border-top-color:#000}var[data-type]::after{content:attr(data-type);transform:translateX(-50%) translateY(-100%);background:#000;text-align:center;font-family:"Dank Mono","Fira Code",monospace;font-style:normal;padding:6px;border-radius:3px;color:#daca88;text-indent:0;font-weight:400}var[data-type]:hover::after,var[data-type]:hover::before{opacity:1}</style><script id="initialUserConfig" type="application/json">{
   "useExperimentalStyles": true,
-  "publishDate": "2020-08-09",
+  "publishDate": "2020-09-26",
   "specStatus": "NOTE",
-  "previousPublishDate": "2019-03-03",
+  "previousPublishDate": "2020-08-09",
   "previousMaturity": "LS",
-  "previousVersionURL": "https://indieauth.spec.indieweb.org/20190303/",
+  "previousVersionURL": "https://indieauth.spec.indieweb.org/20200809/",
   "shortName": "indieauth",
   "lsURI": "https://indieauth.spec.indieweb.org/",
   "testSuiteURI": "https://indieauth.rocks/",
@@ -119,13 +119,13 @@
       "id": "url"
     }
   },
-  "publishISODate": "2020-08-09T00:00:00.000Z",
-  "generatedSubtitle": "Working Group Note 09 August 2020"
+  "publishISODate": "2020-09-26T00:00:00.000Z",
+  "generatedSubtitle": "Working Group Note 26 September 2020"
 }</script><link rel="stylesheet" href="https://www.w3.org/StyleSheets/TR/2016/W3C-NOTE"></head>
   <body class="h-entry informative" style="background-image: url(&quot;https://spec.indieweb.org/INDIEWEB-LIVING-STANDARD.svg&quot;);"><div class="head">
     <a class="logo" href="https://www.w3.org/"><img alt="W3C" width="120" height="100" src="https://spec.indieweb.org/index_files/logo.svg"></a> <h1 id="title" class="title">IndieAuth</h1>
     
-    <h2>IndieWeb Living Standard 09 August 2020</h2>
+    <h2>IndieWeb Living Standard 26 September 2020</h2>
     <dl>
       <dt>This version:</dt><dd>
               <a class="u-url" href="https://indieauth.spec.indieweb.org/">https://indieauth.spec.indieweb.org/</a>
@@ -134,7 +134,7 @@ <h2>IndieWeb Living Standard 09 August 2020</h2>
       <dt>Test suite:</dt><dd><a href="https://indieauth.rocks/">https://indieauth.rocks/</a></dd>
       
       
-      <dt>Previous version:</dt><dd><a href="https://indieauth.spec.indieweb.org/20200125/">https://indieauth.spec.indieweb.org/20200125/</a></dd>
+      <dt>Previous version:</dt><dd><a href="https://indieauth.spec.indieweb.org/20200809/">https://indieauth.spec.indieweb.org/20200809/</a></dd>
       
       <dt>Editor:</dt>
       <dd class="p-author h-card vcard" data-editor-id="59996"><a class="u-url url p-name fn" href="https://aaronparecki.com/">Aaron Parecki</a></dd>
@@ -177,7 +177,7 @@ <h3 id="author-s-note">Author's Note<a class="self-link" aria-label="§" href="#
     </section>
 
     <section id="sotd" class="introductory"><h2>Status of This Document</h2>
-    <p>This document was published by the IndieWeb community as a Living Standard.</p><p>Per <a href="https://creativecommons.org/publicdomain/zero/1.0/">CC0</a>, to the extent possible under law, the editor(s) and contributors have waived all copyright and related or neighboring rights to this work. In addition, the editor(s) and contributors have made this specification available under the <a href="http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0">Open Web Foundation Agreement Version 1.0</a>.</p></section><nav id="toc"><h2 class="introductory" id="table-of-contents">Table of Contents</h2><ol class="toc"><li class="tocline"><a class="tocxref" href="#introduction"><bdi class="secno">1. </bdi>Introduction</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#background"><bdi class="secno">1.1 </bdi>Background</a></li><li class="tocline"><a class="tocxref" href="#oauth-2-0-extension"><bdi class="secno">1.2 </bdi>OAuth 2.0 Extension</a></li></ol></li><li class="tocline"><a class="tocxref" href="#conformance"><bdi class="secno">2. </bdi>Conformance</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#conformance-classes"><bdi class="secno">2.1 </bdi>Conformance Classes</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#authorization-endpoint"><bdi class="secno">2.1.1 </bdi>Authorization Endpoint</a></li><li class="tocline"><a class="tocxref" href="#token-endpoint"><bdi class="secno">2.1.2 </bdi>Token Endpoint</a></li><li class="tocline"><a class="tocxref" href="#micropub-client"><bdi class="secno">2.1.3 </bdi>Micropub Client</a></li><li class="tocline"><a class="tocxref" href="#indieauth-client"><bdi class="secno">2.1.4 </bdi>IndieAuth Client</a></li></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#identifiers"><bdi class="secno">3. </bdi>Identifiers</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#user-profile-url"><bdi class="secno">3.1 </bdi>User Profile URL</a></li><li class="tocline"><a class="tocxref" href="#client-identifier"><bdi class="secno">3.2 </bdi>Client Identifier</a></li><li class="tocline"><a class="tocxref" href="#url-canonicalization"><bdi class="secno">3.3 </bdi>URL Canonicalization</a></li></ol></li><li class="tocline"><a class="tocxref" href="#discovery"><bdi class="secno">4. </bdi>Discovery</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#discovery-by-clients"><bdi class="secno">4.1 </bdi>Discovery by Clients</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#redirect-examples"><bdi class="secno">4.1.1 </bdi>Redirect Examples</a><ol class="toc"></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#client-information-discovery"><bdi class="secno">4.2 </bdi>Client Information Discovery</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#application-information"><bdi class="secno">4.2.1 </bdi>Application Information</a></li><li class="tocline"><a class="tocxref" href="#redirect-url"><bdi class="secno">4.2.2 </bdi>Redirect URL</a></li></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#authorization"><bdi class="secno">5. </bdi>Authorization</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#discovery-0"><bdi class="secno">5.1 </bdi>Discovery</a></li><li class="tocline"><a class="tocxref" href="#authorization-request"><bdi class="secno">5.2 </bdi>Authorization Request</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#authorization-response"><bdi class="secno">5.2.1 </bdi>Authorization Response</a></li></ol></li><li class="tocline"><a class="tocxref" href="#redeeming-the-authorization-code"><bdi class="secno">5.3 </bdi>Redeeming the Authorization Code</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#request"><bdi class="secno">5.3.1 </bdi>Request</a></li><li class="tocline"><a class="tocxref" href="#profile-url-response"><bdi class="secno">5.3.2 </bdi>Profile URL Response</a></li><li class="tocline"><a class="tocxref" href="#access-token-response"><bdi class="secno">5.3.3 </bdi>Access Token Response</a></li></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#access-token-verification"><bdi class="secno">6. </bdi>Access Token Verification</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#access-token-verification-request"><bdi class="secno">6.1 </bdi>Access Token Verification Request</a></li><li class="tocline"><a class="tocxref" href="#access-token-verification-response"><bdi class="secno">6.2 </bdi>Access Token Verification Response</a></li></ol></li><li class="tocline"><a class="tocxref" href="#token-revocation"><bdi class="secno">7. </bdi>Token Revocation</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#token-revocation-request"><bdi class="secno">7.1 </bdi>Token Revocation Request</a></li></ol></li><li class="tocline"><a class="tocxref" href="#security-considerations"><bdi class="secno">8. </bdi>Security Considerations</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#differing-user-profile-urls"><bdi class="secno">8.1 </bdi>Differing User Profile URLs</a></li><li class="tocline"><a class="tocxref" href="#preventing-phishing-and-redirect-attacks"><bdi class="secno">8.2 </bdi>Preventing Phishing and Redirect Attacks</a></li></ol></li><li class="tocline"><a class="tocxref" href="#iana-considerations"><bdi class="secno">9. </bdi>IANA Considerations</a></li><li class="tocline"><a class="tocxref" href="#resources"><bdi class="secno">A. </bdi>Resources</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#articles"><bdi class="secno">A.1 </bdi>Articles</a></li><li class="tocline"><a class="tocxref" href="#implementations"><bdi class="secno">A.2 </bdi>Implementations</a></li></ol></li><li class="tocline"><a class="tocxref" href="#acknowledgements"><bdi class="secno">B. </bdi>Acknowledgements</a></li><li class="tocline"><a class="tocxref" href="#change-log"><bdi class="secno">C. </bdi>Change Log</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#changes-from-25-january-2020-to-this-version"><bdi class="secno">C.1 </bdi>Changes from 25 January 2020 to this version</a></li><li class="tocline"><a class="tocxref" href="#changes-from-03-march-2019-to-25-january-2020"><bdi class="secno">C.2 </bdi>Changes from 03 March 2019 to 25 January 2020</a></li><li class="tocline"><a class="tocxref" href="#changes-from-07-july-2018-to-03-march-2019"><bdi class="secno">C.3 </bdi>Changes from 07 July 2018 to 03 March 2019</a></li><li class="tocline"><a class="tocxref" href="#changes-from-23-january-2018-to-07-july-2018"><bdi class="secno">C.4 </bdi>Changes from <span class="formerLink">23 January 2018</span> to 07 July 2018</a></li><li class="tocline"><a class="tocxref" href="#changes-from-07-july-2018-to-03-march-2019-0"><bdi class="secno">C.5 </bdi>Changes from 07 July 2018 to 03 March 2019</a></li></ol></li><li class="tocline"><a class="tocxref" href="#references"><bdi class="secno">D. </bdi>References</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#normative-references"><bdi class="secno">D.1 </bdi>
+    <p>This document was published by the IndieWeb community as a Living Standard.</p><p>Per <a href="https://creativecommons.org/publicdomain/zero/1.0/">CC0</a>, to the extent possible under law, the editor(s) and contributors have waived all copyright and related or neighboring rights to this work. In addition, the editor(s) and contributors have made this specification available under the <a href="http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0">Open Web Foundation Agreement Version 1.0</a>.</p></section><nav id="toc"><h2 class="introductory" id="table-of-contents">Table of Contents</h2><ol class="toc"><li class="tocline"><a class="tocxref" href="#introduction"><bdi class="secno">1. </bdi>Introduction</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#background"><bdi class="secno">1.1 </bdi>Background</a></li><li class="tocline"><a class="tocxref" href="#oauth-2-0-extension"><bdi class="secno">1.2 </bdi>OAuth 2.0 Extension</a></li></ol></li><li class="tocline"><a class="tocxref" href="#conformance"><bdi class="secno">2. </bdi>Conformance</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#conformance-classes"><bdi class="secno">2.1 </bdi>Conformance Classes</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#authorization-endpoint"><bdi class="secno">2.1.1 </bdi>Authorization Endpoint</a></li><li class="tocline"><a class="tocxref" href="#token-endpoint"><bdi class="secno">2.1.2 </bdi>Token Endpoint</a></li><li class="tocline"><a class="tocxref" href="#micropub-client"><bdi class="secno">2.1.3 </bdi>Micropub Client</a></li><li class="tocline"><a class="tocxref" href="#indieauth-client"><bdi class="secno">2.1.4 </bdi>IndieAuth Client</a></li></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#identifiers"><bdi class="secno">3. </bdi>Identifiers</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#user-profile-url"><bdi class="secno">3.1 </bdi>User Profile URL</a></li><li class="tocline"><a class="tocxref" href="#client-identifier"><bdi class="secno">3.2 </bdi>Client Identifier</a></li><li class="tocline"><a class="tocxref" href="#url-canonicalization"><bdi class="secno">3.3 </bdi>URL Canonicalization</a></li></ol></li><li class="tocline"><a class="tocxref" href="#discovery"><bdi class="secno">4. </bdi>Discovery</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#discovery-by-clients"><bdi class="secno">4.1 </bdi>Discovery by Clients</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#redirect-examples"><bdi class="secno">4.1.1 </bdi>Redirect Examples</a><ol class="toc"></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#client-information-discovery"><bdi class="secno">4.2 </bdi>Client Information Discovery</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#application-information"><bdi class="secno">4.2.1 </bdi>Application Information</a></li><li class="tocline"><a class="tocxref" href="#redirect-url"><bdi class="secno">4.2.2 </bdi>Redirect URL</a></li></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#authorization"><bdi class="secno">5. </bdi>Authorization</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#discovery-0"><bdi class="secno">5.1 </bdi>Discovery</a></li><li class="tocline"><a class="tocxref" href="#authorization-request"><bdi class="secno">5.2 </bdi>Authorization Request</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#authorization-response"><bdi class="secno">5.2.1 </bdi>Authorization Response</a></li></ol></li><li class="tocline"><a class="tocxref" href="#redeeming-the-authorization-code"><bdi class="secno">5.3 </bdi>Redeeming the Authorization Code</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#request"><bdi class="secno">5.3.1 </bdi>Request</a></li><li class="tocline"><a class="tocxref" href="#profile-url-response"><bdi class="secno">5.3.2 </bdi>Profile URL Response</a></li><li class="tocline"><a class="tocxref" href="#access-token-response"><bdi class="secno">5.3.3 </bdi>Access Token Response</a></li><li class="tocline"><a class="tocxref" href="#profile-information"><bdi class="secno">5.3.4 </bdi>Profile Information</a></li></ol></li></ol></li><li class="tocline"><a class="tocxref" href="#access-token-verification"><bdi class="secno">6. </bdi>Access Token Verification</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#access-token-verification-request"><bdi class="secno">6.1 </bdi>Access Token Verification Request</a></li><li class="tocline"><a class="tocxref" href="#access-token-verification-response"><bdi class="secno">6.2 </bdi>Access Token Verification Response</a></li></ol></li><li class="tocline"><a class="tocxref" href="#token-revocation"><bdi class="secno">7. </bdi>Token Revocation</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#token-revocation-request"><bdi class="secno">7.1 </bdi>Token Revocation Request</a></li></ol></li><li class="tocline"><a class="tocxref" href="#security-considerations"><bdi class="secno">8. </bdi>Security Considerations</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#differing-user-profile-urls"><bdi class="secno">8.1 </bdi>Differing User Profile URLs</a></li><li class="tocline"><a class="tocxref" href="#preventing-phishing-and-redirect-attacks"><bdi class="secno">8.2 </bdi>Preventing Phishing and Redirect Attacks</a></li></ol></li><li class="tocline"><a class="tocxref" href="#iana-considerations"><bdi class="secno">9. </bdi>IANA Considerations</a></li><li class="tocline"><a class="tocxref" href="#resources"><bdi class="secno">A. </bdi>Resources</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#articles"><bdi class="secno">A.1 </bdi>Articles</a></li><li class="tocline"><a class="tocxref" href="#implementations"><bdi class="secno">A.2 </bdi>Implementations</a></li></ol></li><li class="tocline"><a class="tocxref" href="#acknowledgements"><bdi class="secno">B. </bdi>Acknowledgements</a></li><li class="tocline"><a class="tocxref" href="#change-log"><bdi class="secno">C. </bdi>Change Log</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#changes-from-09-august-2020-to-this-version"><bdi class="secno">C.1 </bdi>Changes from 09 August 2020 to this version</a></li><li class="tocline"><a class="tocxref" href="#changes-from-25-january-2020-to-09-august-2020"><bdi class="secno">C.2 </bdi>Changes from 25 January 2020 to 09 August 2020</a></li><li class="tocline"><a class="tocxref" href="#changes-from-03-march-2019-to-25-january-2020"><bdi class="secno">C.3 </bdi>Changes from 03 March 2019 to 25 January 2020</a></li><li class="tocline"><a class="tocxref" href="#changes-from-07-july-2018-to-03-march-2019"><bdi class="secno">C.4 </bdi>Changes from 07 July 2018 to 03 March 2019</a></li><li class="tocline"><a class="tocxref" href="#changes-from-23-january-2018-to-07-july-2018"><bdi class="secno">C.5 </bdi>Changes from <span class="formerLink">23 January 2018</span> to 07 July 2018</a></li><li class="tocline"><a class="tocxref" href="#changes-from-07-july-2018-to-03-march-2019-0"><bdi class="secno">C.6 </bdi>Changes from 07 July 2018 to 03 March 2019</a></li></ol></li><li class="tocline"><a class="tocxref" href="#references"><bdi class="secno">D. </bdi>References</a><ol class="toc"><li class="tocline"><a class="tocxref" href="#normative-references"><bdi class="secno">D.1 </bdi>
         Normative references
       </a></li><li class="tocline"><a class="tocxref" href="#informative-references"><bdi class="secno">D.2 </bdi>
         Informative references
@@ -204,9 +204,7 @@ <h3 id="x1-2-oauth-2-0-extension"><bdi class="secno">1.2 </bdi>OAuth 2.0 Extensi
           <li id="oauth-2-0-extension-li-4">All clients are public clients (no <code>client_secret</code> is used)</li>
           <li id="oauth-2-0-extension-li-5">Client registration at the authorization endpoint is not necessary, since client IDs are resolvable URLs</li>
           <li id="oauth-2-0-extension-li-6">Redirect URL registration happens by verifying data fetched at the Client ID URL</li>
-          <li id="oauth-2-0-extension-li-7">Specifies a mechanism for returning the user identifier for the user who authorized a request</li>
-          <li id="oauth-2-0-extension-li-8">Specifies a mechanism for verifying authorization codes</li>
-          <li id="oauth-2-0-extension-li-9">Specifies a mechanism for a token endpoint and authorization endpoint to communicate</li>
+          <li id="oauth-2-0-extension-li-7">Specifies a mechanism for returning the user identifier and profile information for the user who authorized a request</li>
         </ul>
 
         <p id="oauth-2-0-extension-p-2">Additionally, the parameters defined by OAuth 2.0 (in particular <code>state</code>, <code>code</code>, and <code>scope</code>) follow the same syntax requirements as defined by Appendix A of OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>].</p>
@@ -291,7 +289,7 @@ <h3 id="x3-3-url-canonicalization"><bdi class="secno">3.3 </bdi>URL Canonicaliza
 
         <p id="url-canonicalization-p-2">Since domain names are case insensitive, the hostname component of the URL <em class="rfc2119" title="MUST">MUST</em> be compared case insensitively. Implementations <em class="rfc2119" title="SHOULD">SHOULD</em> convert the hostname to lowercase when storing and using URLs.</p>
 
-        <p id="url-canonicalization-p-3">For ease of use, clients <em class="rfc2119" title="MAY">MAY</em> allow users to enter just a hostname part of the URL, in which case the client <em class="rfc2119" title="MUST">MUST</em> turn that into a valid URL before beginning the IndieAuth flow, by prepending a either an <code>http</code> or <code>https</code> scheme and appending the path <code>/</code>. For example, if the user enters <code>example.com</code>, the client transforms it into <code>http://example.com/</code> before beginning discovery.</p>
+        <p id="url-canonicalization-p-3">For ease of use, clients <em class="rfc2119" title="MAY">MAY</em> allow users to enter just a hostname part of the URL, in which case the client <em class="rfc2119" title="MUST">MUST</em> turn that into a valid URL before beginning the IndieAuth flow, by prepending either an <code>http</code> or <code>https</code> scheme and appending the path <code>/</code>. For example, if the user enters <code>example.com</code>, the client transforms it into <code>http://example.com/</code> before beginning discovery.</p>
       </section>
 
     </section>
@@ -307,11 +305,11 @@ <h3 id="x4-1-discovery-by-clients"><bdi class="secno">4.1 </bdi>Discovery by Cli
 
         <p id="discovery-by-clients-p-1">Clients need to discover a few pieces of information when a user signs in. The client needs to discover the user's <code>authorization_endpoint</code>, and optionally <code>token_endpoint</code> if the client needs an access token. When using the Authorization flow to obtain an access token for use at a [<cite><a class="bibref" data-link-type="biblio" href="#bib-micropub" title="Micropub">Micropub</a></cite>] endpoint, the client will also discover the <code>micropub</code> endpoint.</p>
 
-        <p id="discovery-by-clients-p-2">Clients <em class="rfc2119" title="MUST">MUST</em> start by making a GET or HEAD request to [<cite><a class="bibref" data-link-type="biblio" href="#bib-fetch" title="Fetch Standard">Fetch</a></cite>] the user's profile URL to discover the necessary values. Clients <em class="rfc2119" title="MUST">MUST</em> follow HTTP redirects (up to a self-imposed limit). If an HTTP permament redirect (HTTP 301 or 308) is encountered, the client <em class="rfc2119" title="MUST">MUST</em> use the resulting URL as the canonical profile URL. If an HTTP temporary redirect (HTTP 302 or 307) is encountered, the client <em class="rfc2119" title="MUST">MUST</em> use the previous URL as the profile URL, but use the redirected-to page for discovery.</p>
+        <p id="discovery-by-clients-p-2">Clients <em class="rfc2119" title="MUST">MUST</em> start by making a GET or HEAD request to [<cite><a class="bibref" data-link-type="biblio" href="#bib-fetch" title="Fetch Standard">Fetch</a></cite>] the user's profile URL to discover the necessary values. Clients <em class="rfc2119" title="MUST">MUST</em> follow HTTP redirects (up to a self-imposed limit). If one or more successive HTTP permanent redirects (HTTP 301 or 308) are encountered starting with the very first request, the client <em class="rfc2119" title="MUST">MUST</em> use the final permanent redirection's target URL as the canonical profile URL. If any other redirection (such as HTTP 302, 303, or 307) is encountered, it must still be resolved for endpoint discovery, but this redirection does not modify the canonical profile URL, nor do subsequent permanent redirects.</p>
 
         <p id="discovery-by-clients-p-3">Clients <em class="rfc2119" title="MUST">MUST</em> check for an HTTP <code>Link</code> header [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc8288" title="Web Linking">RFC8288</a></cite>] with the appropriate <code>rel</code> value. If the content type of the document is HTML, then the client <em class="rfc2119" title="MUST">MUST</em> check for an HTML <code>&lt;link&gt;</code> element with the appropriate <code>rel</code> value. If more than one of these is present, the first HTTP <code>Link</code> header takes precedence, followed by the first <code>&lt;link&gt;</code> element in document order.</p>
 
-        <p id="discovery-by-clients-p-4">The endpoints discovered <em class="rfc2119" title="MAY">MAY</em> be relative URLs, in which case the client <em class="rfc2119" title="MUST">MUST</em> resolve them relative to the profile URL according to [<cite><a class="bibref" data-link-type="biblio" href="#bib-url" title="URL Standard">URL</a></cite>].</p>
+        <p id="discovery-by-clients-p-4">The endpoints discovered <em class="rfc2119" title="MAY">MAY</em> be relative URLs, in which case the client <em class="rfc2119" title="MUST">MUST</em> resolve them relative to the current document URL according to [<cite><a class="bibref" data-link-type="biblio" href="#bib-url" title="URL Standard">URL</a></cite>].</p>
 
         <p id="discovery-by-clients-p-5">Clients <em class="rfc2119" title="MAY">MAY</em> initially make an HTTP HEAD request [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7231" title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">RFC7231</a></cite>] to follow redirects and check for the <code>Link</code> header before making a GET request.</p>
 
@@ -453,36 +451,55 @@ <h3 id="x5-1-discovery"><bdi class="secno">5.1 </bdi>Discovery<a class="self-lin
       <section id="authorization-request">
         <h3 id="x5-2-authorization-request"><bdi class="secno">5.2 </bdi>Authorization Request<a class="self-link" aria-label="§" href="#authorization-request"></a></h3>
 
-          <p id="authorization-request-p-1">The client builds the authorization request URL by starting with the discovered <code>authorization_endpoint</code> URL and adding the following parameters to the query component:</p>
+          <p id="authorization-request-p-1">The client builds the authorization request URL by starting with the discovered <code>authorization_endpoint</code> URL and adding parameters to the query component.</p>
+
+          <p id="authorization-request-p-2">All IndieAuth clients <em class="rfc2119" title="MUST">MUST</em> use PKCE ([<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7636" title="Proof Key for Code Exchange by OAuth Public Clients">RFC7636</a></cite>]) to protect against authorization code injection and CSRF attacks. A non-canonical description of the PKCE mechanism is described below, but implementers should refer to [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7636" title="Proof Key for Code Exchange by OAuth Public Clients">RFC7636</a></cite>] for details.</p>
+
+          <p id="authorization-request-p-3">Clients use a unique secret per authorization request to protect against authorization code injection and CSRF attacks. The client first generates this secret, which it can later use along with the authorization code to prove that the application using the authorization code is the same application that requested it.</p>
+
+          <p id="authorization-request-p-4">The client first creates a code verifier for each authorization request by generating a random string using the characters <code>[A-Z] / [a-z] / [0-9] / - / . / _ / ~</code> with a minimum length of 43 characters and maximum length of 128 characters. This value is stored on the client and will be used in the authorization code exchange step later.</p>
+
+          <p id="authorization-request-p-5">The client then creates the code challenge derived from the code verifier by calculating the SHA256 hash of the code verifier and Base64-URL-encoding the result.</p>
+
+          <code>code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))</code>
+
+          <p id="authorization-request-p-6">For backwards compatibility, authorization endpoints <em class="rfc2119" title="MAY">MAY</em> accept authorization requests without a code challenge if the authorization server wishes to support older clients.</p>
 
           <ul>
             <li id="authorization-request-li-1"><code>response_type=code</code> - Indicates to the authorization server that an authorization code should be returned as the response</li>
-            <li id="authorization-request-li-2"><code>me</code> - The profile URL that the user entered</li>
-            <li id="authorization-request-li-3"><code>client_id</code> - The client URL</li>
-            <li id="authorization-request-li-4"><code>redirect_uri</code> - The redirect URL indicating where the user should be redirected to after approving the request</li>
-            <li id="authorization-request-li-5"><code>state</code> - A parameter set by the client which will be included when the user is redirected back to the client. This is used to prevent CSRF attacks. The authorization server <em class="rfc2119" title="MUST">MUST</em> return the unmodified state value back to the client.</li>
-            <li id="authorization-request-li-6"><code>scope</code> - (optional) A space-separated list of scopes the client is requesting, e.g. "profile", or "profile create". If the client omits this value, the authorization server <em class="rfc2119" title="MUST NOT">MUST NOT</em> issue an access token for this authorization code. Only the user's URL may be returned without any scope requested.</li>
+            <li id="authorization-request-li-2"><code>client_id</code> - The client URL</li>
+            <li id="authorization-request-li-3"><code>redirect_uri</code> - The redirect URL indicating where the user should be redirected to after approving the request</li>
+            <li id="authorization-request-li-4"><code>state</code> - A parameter set by the client which will be included when the user is redirected back to the client. This is used to prevent CSRF attacks. The authorization server <em class="rfc2119" title="MUST">MUST</em> return the unmodified state value back to the client.</li>
+            <li id="authorization-request-li-5"><code>code_challenge</code> - The code challenge as previously described.</li>
+            <li id="authorization-request-li-6"><code>code_challenge_method</code> - The hashing method used to calculate the code challenge, e.g. "S256"</li>
+            <li id="authorization-request-li-7"><code>scope</code> - (optional) A space-separated list of scopes the client is requesting, e.g. "profile", or "profile create". If the client omits this value, the authorization server <em class="rfc2119" title="MUST NOT">MUST NOT</em> issue an access token for this authorization code. Only the user's profile URL may be returned without any scope requested. See <a href="#profile-information">Profile Information</a> for details about which scopes to request to return user profile information.</li>
+            <li id="authorization-request-li-8"><code>me</code> - (optional) The profile URL that the user entered</li>
           </ul>
 
           <div class="example" id="example-5">
         <div class="marker">
     <a class="self-link" href="#example-5">Example<bdi> 5</bdi></a>
-  </div> <pre class="nohighlight">https://example.org/auth?me=https://user.example.net/&amp;
-                          redirect_uri=https://app.example.com/redirect&amp;
+  </div> <pre class="nohighlight">https://example.org/auth?response_type=code&amp;
                           client_id=https://app.example.com/&amp;
+                          redirect_uri=https://app.example.com/redirect&amp;
                           state=1234567890&amp;
+                          code_challenge=OfYAxt8zU2dAPDWQxTAUIteRzMsoj9QBdMIVEDOErUo&amp;
+                          code_challenge_method=S256&amp;
                           scope=profile+create+update+delete&amp;
-                          response_type=code</pre>
+                          me=https://user.example.net/</pre>
       </div>
 
-          <p id="authorization-request-p-2">The authorization endpoint <em class="rfc2119" title="SHOULD">SHOULD</em> fetch the <code>client_id</code> URL to retrieve application information and the client's registered redirect URLs, see <a href="#client-information-discovery">Client Information Discovery</a> for more information.</p>
+          <p id="authorization-request-p-7">The client <em class="rfc2119" title="SHOULD">SHOULD</em> provide the <code>me</code> query string parameter to the authorization endpoint, either the exact value the user entered, or the canonical profile URL resulting from the discovery step.</p>
 
-          <p id="authorization-request-p-3">If the URL scheme, host or port of the <code>redirect_uri</code> in the request do not match that of the <code>client_id</code>, then the authorization endpoint <em class="rfc2119" title="SHOULD">SHOULD</em> verify that the requested <code>redirect_uri</code> matches one of the <a href="#redirect-url">redirect URLs</a> published by the client, and <em class="rfc2119" title="SHOULD">SHOULD</em> block the request from proceeding if not.</p>
+          <p id="authorization-request-p-8">The authorization endpoint <em class="rfc2119" title="SHOULD">SHOULD</em> fetch the <code>client_id</code> URL to retrieve application information and the client's registered redirect URLs, see <a href="#client-information-discovery">Client Information Discovery</a> for more information.</p>
 
-          <p id="authorization-request-p-4">It is up to the authorization endpoint how to authenticate the user. This step is out of scope of OAuth 2.0, and is highly dependent on the particular implementation. Some authorization servers use typical username/password authentication, and others use alternative forms of authentication such as [<cite><a class="bibref" data-link-type="biblio" href="#bib-relmeauth" title="RelMeAuth">RelMeAuth</a></cite>].</p>
+          <p id="authorization-request-p-9">If the URL scheme, host or port of the <code>redirect_uri</code> in the request do not match that of the <code>client_id</code>, then the authorization endpoint <em class="rfc2119" title="SHOULD">SHOULD</em> verify that the requested <code>redirect_uri</code> matches one of the <a href="#redirect-url">redirect URLs</a> published by the client, and <em class="rfc2119" title="SHOULD">SHOULD</em> block the request from proceeding if not.</p>
 
-          <p id="authorization-request-p-5">Once the user is authenticated, the authorization endpoint presents the authorization request to the user. The prompt <em class="rfc2119" title="MUST">MUST</em> indicate which application the user is signing in to, and <em class="rfc2119" title="SHOULD">SHOULD</em> provide as much detail as possible about the request, such as information about the requested scopes.</p>
+          <p id="authorization-request-p-10">It is up to the authorization endpoint how to authenticate the user. This step is out of scope of OAuth 2.0, and is highly dependent on the particular implementation. Some authorization servers use typical username/password authentication, and others use alternative forms of authentication such as [<cite><a class="bibref" data-link-type="biblio" href="#bib-relmeauth" title="RelMeAuth">RelMeAuth</a></cite>], or delegate to other identity providers.</p>
 
+          <p id="authorization-request-p-11">The authorization endpoint <em class="rfc2119" title="MAY">MAY</em> use the provided <code>me</code> query component as a hint of which user is attempting to sign in, and to indicate which profile URL the client is expecting in the resulting profile URL response or access token response. This is specifically helpful for authorization endpoints where users have multiple supported profile URLs, so the authorization endpoint can make an informed decision as to which profile URL the user meant to identify as. Note that from the authorization endpoint's view, this value as provided by the client is unverified external data and <em class="rfc2119" title="MUST NOT">MUST NOT</em> be assumed to be valid data at this stage. If the logged-in user doesn't match the provided <code>me</code> parameter by the client, the authorization endpoint <em class="rfc2119" title="MAY">MAY</em> either ignore the <code>me</code> parameter completely or display an error, at the authorization endpoint's discretion.</p>
+
+          <p id="authorization-request-p-12">Once the user is authenticated, the authorization endpoint presents the authorization request to the user. The prompt <em class="rfc2119" title="MUST">MUST</em> indicate which application the user is signing in to, and <em class="rfc2119" title="SHOULD">SHOULD</em> provide as much detail as possible about the request, such as information about the requested scopes.</p>
 
         <section id="authorization-response">
           <h4 id="x5-2-1-authorization-response"><bdi class="secno">5.2.1 </bdi>Authorization Response<a class="self-link" aria-label="§" href="#authorization-response"></a></h4>
@@ -518,17 +535,18 @@ <h3 id="x5-3-redeeming-the-authorization-code"><bdi class="secno">5.3 </bdi>Rede
         <section id="request">
           <h4 id="x5-3-1-request"><bdi class="secno">5.3.1 </bdi>Request<a class="self-link" aria-label="§" href="#request"></a></h4>
 
-          <p id="request-p-1">If the client only needs to know the user who logged in and does not need to make requests to resource servers with an access token, the client exchanges the authorization code for the user's profile URL at the <b>authorization endpoint</b>.</p>
+          <p id="request-p-1">If the client needs an access token in order to make requests to a resource server such as a [<cite><a class="bibref" data-link-type="biblio" href="#bib-micropub" title="Micropub">Micropub</a></cite>] endpoint, it can exchange the authorization code for an access token and the user's profile URL at the <b>token endpoint</b>.</p>
 
-          <p id="request-p-2">If the client needs an access token in order to make requests to a resource server such as a [<cite><a class="bibref" data-link-type="biblio" href="#bib-micropub" title="Micropub">Micropub</a></cite>] endpoint, it can exchange the authorization code for an access token and the user's profile URL at the <b>token endpoint</b>.</p>
+          <p id="request-p-2">If the client only needs to know the user who logged in and does not need to make requests to resource servers with an access token, the client exchanges the authorization code for the user's profile URL at the <b>authorization endpoint</b>.</p>
 
           <p id="request-p-3">After the client validates the state parameter, the client makes a POST request to the token endpoint or authorization endpoint to exchange the authorization code for the final user profile URL and/or access token. The POST request contains the following parameters:</p>
 
           <ul>
             <li id="request-li-1"><code>grant_type=authorization_code</code></li>
-            <li id="request-li-2"><code>code</code> - The authorization code received from the authorization endpoint in the redirect</li>
+            <li id="request-li-2"><code>code</code> - The authorization code received from the authorization endpoint in the redirect.</li>
             <li id="request-li-3"><code>client_id</code> - The client's URL, which <em class="rfc2119" title="MUST">MUST</em> match the client_id used in the authentication request.</li>
             <li id="request-li-4"><code>redirect_uri</code> - The client's redirect URL, which <em class="rfc2119" title="MUST">MUST</em> match the initial authentication request.</li>
+            <li id="request-li-5"><code>code_verifier</code> - The original plaintext random string generated before starting the authorization request.</li>
           </ul>
 
           <b>Example request to authorization endpoint</b>
@@ -542,7 +560,8 @@ <h4 id="x5-3-1-request"><bdi class="secno">5.3.1 </bdi>Request<a class="self-lin
   grant_type=authorization_code
   &amp;code=xxxxxxxx
   &amp;client_id=https://app.example.com/
-  &amp;redirect_uri=https://app.example.com/redirect</pre>
+  &amp;redirect_uri=https://app.example.com/redirect
+  &amp;code_verifier=a6128783714cfda1d388e2e98b6ae8221ac31aca31959e59512c59f5</pre>
       </div>
 
           <b>Example request to token endpoint</b>
@@ -556,14 +575,19 @@ <h4 id="x5-3-1-request"><bdi class="secno">5.3.1 </bdi>Request<a class="self-lin
 grant_type=authorization_code
 &amp;code=xxxxxxxx
 &amp;client_id=https://app.example.com/
-&amp;redirect_uri=https://app.example.com/redirect</pre>
+&amp;redirect_uri=https://app.example.com/redirect
+&amp;code_verifier=a6128783714cfda1d388e2e98b6ae8221ac31aca31959e59512c59f5</pre>
       </div>
         </section>
 
+          <p id="redeeming-the-authorization-code-p-5">Note that for backwards compatibility, the authorization endpoint <em class="rfc2119" title="MAY">MAY</em> allow requests without the <code>code_verifier</code>. If an authorization code was issued with no <code>code_challenge</code> present, then the authorization code exchange <em class="rfc2119" title="MUST NOT">MUST NOT</em> include a <code>code_verifier</code>, and similarly, if an authorization code was issued with a <code>code_challenge</code> present, then the authorization code exchange <em class="rfc2119" title="MUST">MUST</em> include a <code>code_verifier</code>.</p>
+
         <section id="profile-url-response">
           <h4 id="x5-3-2-profile-url-response"><bdi class="secno">5.3.2 </bdi>Profile URL Response<a class="self-link" aria-label="§" href="#profile-url-response"></a></h4>
 
-          <p id="profile-url-response-p-1">The authorization endpoint verifies that the authorization code is valid, has not yet been used, and that it was issued for the matching <code>client_id</code> and <code>redirect_uri</code>. If the request is valid, then the endpoint responds with a JSON [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7159" title="The JavaScript Object Notation (JSON) Data Interchange Format">RFC7159</a></cite>] object containing one property, <code>me</code>, with the canonical user profile URL for the user who signed in.</p>
+          <p id="profile-url-response-p-1">When the client receives an authorization code that was requested with either no scope or only profile scopes (<a href="#profile-information">defined below</a>), the client will exchange the authorization code at the <b>authorization endpoint</b>, and only the canonical user profile URL and possibly profile information is returned.</p>
+
+          <p id="profile-url-response-p-2">The authorization endpoint verifies that the authorization code is valid, has not yet been used, and that it was issued for the matching <code>client_id</code> and <code>redirect_uri</code>, and checks that the provided <code>code_verifier</code> hashes to the same value as given in the <code>code_challenge</code> in the original authorization request. If the request is valid, then the endpoint responds with a JSON [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7159" title="The JavaScript Object Notation (JSON) Data Interchange Format">RFC7159</a></cite>] object containing the property <code>me</code>, with the canonical user profile URL for the user who signed in, and optionally the property <code>profile</code> with the user's profile information as defined in <a href="#profile-information">Profile Information</a>.</p>
 
           <div class="example" id="example-9">
         <div class="marker">
@@ -576,19 +600,21 @@ <h4 id="x5-3-2-profile-url-response"><bdi class="secno">5.3.2 </bdi>Profile URL
   }</pre>
       </div>
 
-          <p id="profile-url-response-p-2">The resulting profile URL <em class="rfc2119" title="MAY">MAY</em> be different from what the user initially entered, but <em class="rfc2119" title="MUST">MUST</em> be on the same domain. This gives the authorization endpoint an opportunity to canonicalize the user's URL, such as correcting <code>http</code> to <code>https</code>, or adding a path if required. See <a href="#redirect-examples">Redirect Examples</a> for an example of how a service can allow a user to enter a URL on a domain different from their resulting <code>me</code> profile URL.</p>
+          <p id="profile-url-response-p-3">The resulting profile URL <em class="rfc2119" title="MAY">MAY</em> be different from the canonical profile URL as resolved by the client, but <em class="rfc2119" title="MUST">MUST</em> be on the same domain. This gives the authorization endpoint an opportunity to canonicalize the user's URL, such as correcting <code>http</code> to <code>https</code>, or adding a path if required. See <a href="#redirect-examples">Redirect Examples</a> for an example of how a service can allow a user to enter a URL on a domain different from their resulting <code>me</code> profile URL, and see <a href="#differing-user-profile-urls">Differing User Profile URLs</a> for security considerations client developers should be aware of.</p>
 
-          <p id="profile-url-response-p-3">See OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>] <a href="https://tools.ietf.org/html/rfc6749#section-5.2">Section 5.2</a> for how to respond in the case of errors or other failures.</p>
+          <p id="profile-url-response-p-4">See OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>] <a href="https://tools.ietf.org/html/rfc6749#section-5.2">Section 5.2</a> for how to respond in the case of errors or other failures.</p>
         </section>
 
         <section id="access-token-response">
           <h4 id="x5-3-3-access-token-response"><bdi class="secno">5.3.3 </bdi>Access Token Response<a class="self-link" aria-label="§" href="#access-token-response"></a></h4>
 
-          <p id="access-token-response-p-1">The token endpoint needs to verify that the authorization code is valid, and that it was issued for the matching <code>client_id</code> and <code>redirect_uri</code>, and contains at least one <code>scope</code>. If the authorization code was issued with no <code>scope</code>, the token endpoint <em class="rfc2119" title="MUST NOT">MUST NOT</em> issue an access token, as empty scopes are invalid per Section 3.3 of OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>].</p>
+          <p id="access-token-response-p-1">When the client receives an authorization code that was requested with one or more scopes that will result in an access token being returned, the client will exchange the authorization code at the <b>token endpoint</b>.</p>
+
+          <p id="access-token-response-p-2">The token endpoint needs to verify that the authorization code is valid, and that it was issued for the matching <code>client_id</code> and <code>redirect_uri</code>, contains at least one <code>scope</code>, and checks that the provided <code>code_verifier</code> hashes to the same value as given in the <code>code_challenge</code> in the original authorization request. If the authorization code was issued with no <code>scope</code>, the token endpoint <em class="rfc2119" title="MUST NOT">MUST NOT</em> issue an access token, as empty scopes are invalid per Section 3.3 of OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>].</p>
 
-          <p id="access-token-response-p-2">The specifics of how the token endpoint verifies the authorization code are out of scope of this document, as typically the authorization endpoint and token endpoint are part of the same system and can share storage or other private communication mechanism.</p>
+          <p id="access-token-response-p-3">The specifics of how the token endpoint verifies the authorization code are out of scope of this document, as typically the authorization endpoint and token endpoint are part of the same system and can share storage or another private communication mechanism.</p>
 
-          <p id="access-token-response-p-3">If the request is valid, then the token endpoint can generate an access token and return the appropriate response. The token response is a JSON [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7159" title="The JavaScript Object Notation (JSON) Data Interchange Format">RFC7159</a></cite>] object containing the OAuth 2.0 Bearer Token [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6750" title="The OAuth 2.0 Authorization Framework: Bearer Token Usage">RFC6750</a></cite>], as well as a property <code>me</code>, containing the canonical user profile URL for the user this access token corresponds to. For example:</p>
+          <p id="access-token-response-p-4">If the request is valid, then the token endpoint can generate an access token and return the appropriate response. The token response is a JSON [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7159" title="The JavaScript Object Notation (JSON) Data Interchange Format">RFC7159</a></cite>] object containing the OAuth 2.0 Bearer Token [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6750" title="The OAuth 2.0 Authorization Framework: Bearer Token Usage">RFC6750</a></cite>], as well as a property <code>me</code>, containing the canonical user profile URL for the user this access token corresponds to, and optionally the property <code>profile</code> with the user's profile information as defined in <a href="#profile-information">Profile Information</a>. For example:</p>
 
           <div class="example" id="example-10">
         <div class="marker">
@@ -604,10 +630,61 @@ <h4 id="x5-3-3-access-token-response"><bdi class="secno">5.3.3 </bdi>Access Toke
 }</pre>
       </div>
 
-          <p id="access-token-response-p-4">The resulting profile URL <em class="rfc2119" title="MAY">MAY</em> be different from what the user initially entered, but <em class="rfc2119" title="MUST">MUST</em> be on the same domain. This provides the opportunity to canonicalize the user's URL, such as correcting <code>http</code> to <code>https</code>, or adding a path if required. See <a href="#redirect-examples">Redirect Examples</a> for an example of how a service can allow a user to enter a URL on a domain different from their resulting <code>me</code> profile URL.</p>
+          <p id="access-token-response-p-5">The resulting profile URL <em class="rfc2119" title="MAY">MAY</em> be different from the canonical profile URL as resolved by the client, but <em class="rfc2119" title="MUST">MUST</em> be on the same domain. This provides the opportunity to canonicalize the user's URL, such as correcting <code>http</code> to <code>https</code>, or adding a path if required. See <a href="#redirect-examples">Redirect Examples</a> for an example of how a service can allow a user to enter a URL on a domain different from their resulting <code>me</code> profile URL.</p>
+
+          <p id="access-token-response-p-6">See OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>] <a href="https://tools.ietf.org/html/rfc6749#section-5.2">Section 5.2</a> for how to respond in the case of errors or other failures.</p>
+        </section>
+
+        <section id="profile-information">
+          <h4 id="x5-3-4-profile-information"><bdi class="secno">5.3.4 </bdi>Profile Information<a class="self-link" aria-label="§" href="#profile-information"></a></h4>
+
+          <h5 id="requesting-profile-information">Requesting Profile Information<a class="self-link" aria-label="§" href="#profile-information"></a></h5>
+
+          <p id="profile-information-p-1">If the client would like to request the user's profile information in addition to confirming their profile URL, the client can include one or more scopes in the initial authorization request. The following <code>scope</code> values are defined by this specification to request profile information about the user:</p>
+
+          <ul>
+            <li id="profile-information-li-1"><code>profile</code> (required) - This scope requests access to the user's default profile information which include the following properties: <code>name</code>, <code>photo</code>, <code>url</code>.</li>
+            <li id="profile-information-li-2"><code>email</code> - This scope requests access to the user's email address in the following property: <code>email</code>.</li>
+          </ul>
+
+          <p id="profile-information-p-2">Note that because the <code>profile</code> scope is required when requesting profile information, the <code>email</code> scope cannot be requested on its own and must be requested along with the <code>profile</code> scope if desired.</p><p id="profile-information-p-3">
+
+          </p><p id="profile-information-p-4">When an authorization code is issued with any of the scopes defined above, then the response when exchanging the authorization code <em class="rfc2119" title="MAY">MAY</em> include a new property, <code>profile</code>, alongside the <code>me</code> property in the response from the authorization endpoint or the token endpoint. The <code>profile</code> property is defined as a JSON [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc7159" title="The JavaScript Object Notation (JSON) Data Interchange Format">RFC7159</a></cite>] object with the properties defined by each scope above.</p>
+
+          <p id="profile-information-p-5">For example, a complete response to a request with the scopes <code>profile email create</code>, including an access token and profile information, may look like the following:</p>
+
+          <div class="example" id="example-11">
+        <div class="marker">
+    <a class="self-link" href="#example-11">Example<bdi> 11</bdi></a>
+  </div> <pre class="nohighlight">HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+  "access_token": "XXXXXX",
+  "token_type": "Bearer",
+  "scope": "profile email create",
+  "me": "https://user.example.net/",
+  "profile": {
+    "name": "Example User",
+    "url": "https://user.example.net/",
+    "photo": "https://user.example.net/photo.jpg",
+    "email": "user@example.net"
+  }
+}</pre>
+      </div>
+
+          <p id="profile-information-p-6">As is always the case with OAuth 2.0, there is no guarantee that the scopes the client requests will be granted by the authorization server or the user. The client should not rely on the presence of profile information even when requesting the profile scope. As such, implementing support for returning profile information from the authorization server is entirely optional.</p>
+
+          <p id="profile-information-p-7">The information returned in the <code>profile</code> object is informational, and there is no guarantee that this information is "real" or "verified". The information provided is only what the user has chosen to share with the client, and may even vary depending on which client is requesting this data.</p>
+
+          <p id="profile-information-p-8">The client <em class="rfc2119" title="MUST NOT">MUST NOT</em> treat the information in the <code>profile</code> object as canonical or authoritative, and <em class="rfc2119" title="MUST NOT">MUST NOT</em> make any authentication or identification decisions based on this information.</p>
+
+          <p id="profile-information-p-9">For example, attempting to use the <code>email</code> returned in the profile object as a user identifier will lead to security holes, as any user can create an authorization endpoint that returns any email address in the profile response. A client using the email address returned here should treat it the same as if it had been hand-entered in the client application and go through its own verification process before using it.</p>
+
+          <p id="profile-information-p-10">Similarly, the <code>url</code> returned in the <code>profile</code> object is not guaranteed to match the <code>me</code> URL, and may even be on a different domain. For example, a multi-author website may use the website's URL as the <code>me</code> URL, but return each specific author's own personal website in the profile data.</p>
 
-          <p id="access-token-response-p-5">See OAuth 2.0 [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6749" title="The OAuth 2.0 Authorization Framework">RFC6749</a></cite>] <a href="https://tools.ietf.org/html/rfc6749#section-5.2">Section 5.2</a> for how to respond in the case of errors or other failures.</p>
         </section>
+
       </section>
 
     </section>
@@ -624,9 +701,9 @@ <h3 id="x6-1-access-token-verification-request"><bdi class="secno">6.1 </bdi>Acc
 
         <p id="access-token-verification-request-p-1">If a resource server needs to verify that an access token is valid, it <em class="rfc2119" title="MUST">MUST</em> make a GET request to the token endpoint containing an HTTP <code>Authorization</code> header with the Bearer Token according to [<cite><a class="bibref" data-link-type="biblio" href="#bib-rfc6750" title="The OAuth 2.0 Authorization Framework: Bearer Token Usage">RFC6750</a></cite>]. Note that the request to the endpoint will not contain any user-identifying information, so the resource server (e.g. Micropub endpoint) will need to know via out-of-band methods which token endpoint is in use.</p>
 
-        <div class="example" id="example-11">
+        <div class="example" id="example-12">
         <div class="marker">
-    <a class="self-link" href="#example-11">Example<bdi> 11</bdi></a>
+    <a class="self-link" href="#example-12">Example<bdi> 12</bdi></a>
   </div> <pre class="nohighlight">GET https://example.org/token
   Authorization: Bearer xxxxxxxx
   Accept: application/json</pre>
@@ -636,7 +713,7 @@ <h3 id="x6-1-access-token-verification-request"><bdi class="secno">6.1 </bdi>Acc
       <section id="access-token-verification-response">
         <h3 id="x6-2-access-token-verification-response"><bdi class="secno">6.2 </bdi>Access Token Verification Response<a class="self-link" aria-label="§" href="#access-token-verification-response"></a></h3>
 
-        <p id="access-token-verification-response-p-1">The token endpoint verifies the access token using (how this verification is done is up to the implementation), and returns information about the token:</p>
+        <p id="access-token-verification-response-p-1">The token endpoint verifies the access token (how this verification is done is up to the implementation), and returns information about the token:</p>
 
         <ul>
           <li id="access-token-verification-response-li-1"><code>me</code> - The profile URL of the user corresponding to this token</li>
@@ -644,9 +721,9 @@ <h3 id="x6-2-access-token-verification-response"><bdi class="secno">6.2 </bdi>Ac
           <li id="access-token-verification-response-li-3"><code>scope</code> - A space-separated list of scopes associated with this token</li>
         </ul>
 
-        <div class="example" id="example-12">
+        <div class="example" id="example-13">
         <div class="marker">
-    <a class="self-link" href="#example-12">Example<bdi> 12</bdi></a>
+    <a class="self-link" href="#example-13">Example<bdi> 13</bdi></a>
   </div> <pre class="nohighlight">HTTP/1.1 200 OK
   Content-Type: application/json
 
@@ -678,9 +755,9 @@ <h3 id="x7-1-token-revocation-request"><bdi class="secno">7.1 </bdi>Token Revoca
 
         <p id="token-revocation-request-p-1">An example revocation request is below.</p>
 
-        <div class="example" id="example-13">
+        <div class="example" id="example-14">
         <div class="marker">
-    <a class="self-link" href="#example-13">Example<bdi> 13</bdi></a>
+    <a class="self-link" href="#example-14">Example<bdi> 14</bdi></a>
   </div> <pre class="nohighlight">POST https://example.org/token HTTP/1.1
   Content-Type: application/x-www-form-urlencoded
   Accept: application/json
@@ -706,13 +783,16 @@ <h3 id="x8-1-differing-user-profile-urls"><bdi class="secno">8.1 </bdi>Differing
 
         <p id="differing-user-profile-urls-p-2">For example, a user might enter <code>user.example.net</code> in a login interface, and the client may assume a default scheme of <code>http</code>, providing an initial profile URL of <code>http://user.example.net</code>. Once the authentication or authorization flow is complete, the response in the <code>me</code> parameter might be the canonical <code>https://user.example.net/</code>. In some cases, user profile URLs have a full path component such as <code>https://example.net/username</code>, but users may enter just <code>example.net</code> in the login interface.</p>
 
-        <p id="differing-user-profile-urls-p-3">Clients <em class="rfc2119" title="MUST">MUST</em> use the resulting <code>me</code> value from the <a href="#profile-url-response">profile URL response</a> or <a href="#access-token-response">access token response</a> rather than assume the initially-entered URL is correct, with the following condition:</p>
+        <p id="differing-user-profile-urls-p-3">Upon validation, clients <em class="rfc2119" title="MUST">MUST</em> check the <code>me</code> value from the <a href="#profile-url-response">profile URL response</a> or <a href="#access-token-response">access token response</a>, and take the following validation steps:</p>
 
-        <ul>
-          <li id="differing-user-profile-urls-li-1">The resulting profile URL <em class="rfc2119" title="MUST">MUST</em> have a matching domain of the initially-entered profile URL.</li>
-        </ul>
+        <ol>
+          <li id="differing-user-profile-urls-li-1">It <em class="rfc2119" title="MUST">MUST</em> follow any permanent redirections from this URL to discover the canonical profile URL, in the same manner as <a href="#discovery-by-clients">initial profile URL discovery</a>.</li>
+          <li id="differing-user-profile-urls-li-2">It <em class="rfc2119" title="MUST">MUST</em> verify that the canonical profile URL is on the same domain as the initially-entered profile URL.</li>
+          <li id="differing-user-profile-urls-li-3">It <em class="rfc2119" title="MUST">MUST</em> verify that the canonical profile URL declares the same <code>authorization_endpoint</code> as the initially-entered profile URL.</li>
+        </ol>
+
+        <p id="differing-user-profile-urls-p-4">These steps ensure that an authorization endpoint is not able to issue valid responses for arbitrary profile URLs, and that users on a shared domain cannot forge authorization on behalf of other users of that domain.</p>
 
-        <p id="differing-user-profile-urls-p-4">This ensures that an authorization endpoint is not able to issue valid responses for arbitrary profile URLs.</p>
       </section>
 
       <section id="preventing-phishing-and-redirect-attacks">
@@ -805,18 +885,28 @@ <h2 id="b-acknowledgements"><bdi class="secno">B. </bdi>Acknowledgements<a class
     <section class="appendix informative" id="change-log">
       <h2 id="c-change-log"><bdi class="secno">C. </bdi>Change Log<a class="self-link" aria-label="§" href="#change-log"></a></h2><p id="change-log-p-1"><em>This section is non-normative.</em></p>
 
-      <section id="changes-from-25-january-2020-to-this-version">
-        <h3 id="c-1-changes-from-25-january-2020-to-this-version"><bdi class="secno">C.1 </bdi>Changes from 25 January 2020 to this version<a class="self-link" aria-label="§" href="#changes-from-25-january-2020-to-this-version"></a></h3>
+      <section id="changes-from-09-august-2020-to-this-version">
+        <h3 id="c-1-changes-from-09-august-2020-to-this-version"><bdi class="secno">C.1 </bdi>Changes from 09 August 2020 to this version<a class="self-link" aria-label="§" href="#changes-from-09-august-2020-to-this-version"></a></h3>
+        <ul>
+          <li id="changes-from-09-august-2020-to-this-version-li-1">Make the <code>me</code> parameter optional (but recommended) in the authorization request</li>
+          <li id="changes-from-09-august-2020-to-this-version-li-2">Add the option of returning profile information in the response as well as defining profile scopes</li>
+          <li id="changes-from-09-august-2020-to-this-version-li-3">Incorporate PKCE into the spec</li>
+          <li id="changes-from-09-august-2020-to-this-version-li-4">Fixed text about which URL to resolve relative authorization/token endpoint URLs from</li>
+        </ul>
+      </section>
+
+      <section id="changes-from-25-january-2020-to-09-august-2020">
+        <h3 id="c-2-changes-from-25-january-2020-to-09-august-2020"><bdi class="secno">C.2 </bdi>Changes from 25 January 2020 to 09 August 2020<a class="self-link" aria-label="§" href="#changes-from-25-january-2020-to-09-august-2020"></a></h3>
         <ul>
-          <li id="changes-from-25-january-2020-to-this-version-li-1">Drop the <code>me</code> parameter from the token endpoint request</li>
-          <li id="changes-from-25-january-2020-to-this-version-li-2">Consolidate the authentication and authorization sections into a single section, describing only the difference which is the response returned.</li>
-          <li id="changes-from-25-january-2020-to-this-version-li-3">Drop the section describing communication between token endpoints and authorization endpoints as it was underused</li>
-          <li id="changes-from-25-january-2020-to-this-version-li-4">Editorial changes and rearranging sections</li>
+          <li id="changes-from-25-january-2020-to-09-august-2020-li-1">Drop the <code>me</code> parameter from the token endpoint request</li>
+          <li id="changes-from-25-january-2020-to-09-august-2020-li-2">Consolidate the authentication and authorization sections into a single section, describing only the difference which is the response returned.</li>
+          <li id="changes-from-25-january-2020-to-09-august-2020-li-3">Drop the section describing communication between token endpoints and authorization endpoints as it was underused</li>
+          <li id="changes-from-25-january-2020-to-09-august-2020-li-4">Editorial changes and rearranging sections</li>
         </ul>
       </section>
 
       <section id="changes-from-03-march-2019-to-25-january-2020">
-        <h3 id="c-2-changes-from-03-march-2019-to-25-january-2020"><bdi class="secno">C.2 </bdi>Changes from 03 March 2019 to 25 January 2020<a class="self-link" aria-label="§" href="#changes-from-03-march-2019-to-25-january-2020"></a></h3>
+        <h3 id="c-3-changes-from-03-march-2019-to-25-january-2020"><bdi class="secno">C.3 </bdi>Changes from 03 March 2019 to 25 January 2020<a class="self-link" aria-label="§" href="#changes-from-03-march-2019-to-25-january-2020"></a></h3>
         <ul>
           <li id="changes-from-03-march-2019-to-25-january-2020-li-1">Use "authentication" and "authorization" more consistently in paragraphs and diagrams</li>
           <li id="changes-from-03-march-2019-to-25-january-2020-li-2">Clarify that "Authorization Code Flow" is "OAuth 2.0 Authorization Code Flow"</li>
@@ -825,7 +915,7 @@ <h3 id="c-2-changes-from-03-march-2019-to-25-january-2020"><bdi class="secno">C.
       </section>
 
       <section id="changes-from-07-july-2018-to-03-march-2019">
-        <h3 id="c-3-changes-from-07-july-2018-to-03-march-2019"><bdi class="secno">C.3 </bdi>Changes from 07 July 2018 to 03 March 2019<a class="self-link" aria-label="§" href="#changes-from-07-july-2018-to-03-march-2019"></a></h3>
+        <h3 id="c-4-changes-from-07-july-2018-to-03-march-2019"><bdi class="secno">C.4 </bdi>Changes from 07 July 2018 to 03 March 2019<a class="self-link" aria-label="§" href="#changes-from-07-july-2018-to-03-march-2019"></a></h3>
         <ul>
           <li id="changes-from-07-july-2018-to-03-march-2019-li-1">Updates the spec header to note that it is a living standard</li>
           <li id="changes-from-07-july-2018-to-03-march-2019-li-2">Minor typo fixes</li>
@@ -833,7 +923,7 @@ <h3 id="c-3-changes-from-07-july-2018-to-03-march-2019"><bdi class="secno">C.3 <
       </section>
 
       <section id="changes-from-23-january-2018-to-07-july-2018">
-        <h3 id="c-4-changes-from-23-january-2018-to-07-july-2018"><bdi class="secno">C.4 </bdi>Changes from <a href="https://www.w3.org/TR/2018/NOTE-indieauth-20180123/">23 January 2018</a> to 07 July 2018<a class="self-link" aria-label="§" href="#changes-from-23-january-2018-to-07-july-2018"></a></h3>
+        <h3 id="c-5-changes-from-23-january-2018-to-07-july-2018"><bdi class="secno">C.5 </bdi>Changes from <a href="https://www.w3.org/TR/2018/NOTE-indieauth-20180123/">23 January 2018</a> to 07 July 2018<a class="self-link" aria-label="§" href="#changes-from-23-january-2018-to-07-july-2018"></a></h3>
         <ul>
           <li id="changes-from-23-january-2018-to-07-july-2018-li-1">Replaced references to RFC 5988 with RFC 8288 (<a href="https://github.com/indieweb/indieauth/commit/69d1d51e9541d8b76233793099b359de898a7154">diff</a>)</li>
           <li id="changes-from-23-january-2018-to-07-july-2018-li-2">Added <code>Accept: application/json</code> header to example requests (<a href="https://github.com/indieweb/indieauth/commit/bfa39332ea3a38ff31efb7101db5b20f2ecbaff7">diff</a>)</li>
@@ -841,7 +931,7 @@ <h3 id="c-4-changes-from-23-january-2018-to-07-july-2018"><bdi class="secno">C.4
       </section>
 
       <section id="changes-from-07-july-2018-to-03-march-2019-0">
-        <h3 id="c-5-changes-from-07-july-2018-to-03-march-2019"><bdi class="secno">C.5 </bdi>Changes from 07 July 2018 to 03 March 2019<a class="self-link" aria-label="§" href="#changes-from-07-july-2018-to-03-march-2019-0"></a></h3>
+        <h3 id="c-6-changes-from-07-july-2018-to-03-march-2019"><bdi class="secno">C.6 </bdi>Changes from 07 July 2018 to 03 March 2019<a class="self-link" aria-label="§" href="#changes-from-07-july-2018-to-03-march-2019-0"></a></h3>
 
         <ul>
           <li id="changes-from-07-july-2018-to-03-march-2019-0-li-1">Added missing ampersand in HTTP redirect example (<a href="https://github.com/indieweb/indieauth/commit/ffaf128e01712ca38f3a7dd412749c2bf2f1c99a">diff</a>)</li>
@@ -874,7 +964,7 @@ <h3 id="d-1-normative-references"><bdi class="secno">D.1 </bdi>
         Normative references
       <a class="self-link" aria-label="§" href="#normative-references"></a></h3>
     <dl class="bibliography">
-      <dt id="bib-fetch">[Fetch]</dt><dd><a href="https://fetch.spec.whatwg.org/"><cite>Fetch Standard</cite></a>. Anne van Kesteren.  WHATWG. Living Standard. URL: <a href="https://fetch.spec.whatwg.org/">https://fetch.spec.whatwg.org/</a></dd><dt id="bib-h-app">[h-app]</dt><dd><a href="https://microformats.org/wiki/h-app"><cite>h-app</cite></a>. Aaron Parecki.  microformats.org. Living Specification. URL: <a href="https://microformats.org/wiki/h-app">https://microformats.org/wiki/h-app</a></dd><dt id="bib-html">[HTML]</dt><dd><a href="https://html.spec.whatwg.org/multipage/"><cite>HTML Standard</cite></a>. Anne van Kesteren; Domenic Denicola; Ian Hickson; Philip Jägenstedt; Simon Pieters.  WHATWG. Living Standard. URL: <a href="https://html.spec.whatwg.org/multipage/">https://html.spec.whatwg.org/multipage/</a></dd><dt id="bib-rfc2119">[RFC2119]</dt><dd><a href="https://tools.ietf.org/html/rfc2119"><cite>Key words for use in RFCs to Indicate Requirement Levels</cite></a>. S. Bradner.  IETF. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a></dd><dt id="bib-rfc6749">[RFC6749]</dt><dd><a href="https://tools.ietf.org/html/rfc6749"><cite>The OAuth 2.0 Authorization Framework</cite></a>. D. Hardt, Ed..  IETF. October 2012. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc6749">https://tools.ietf.org/html/rfc6749</a></dd><dt id="bib-rfc6750">[RFC6750]</dt><dd><a href="https://tools.ietf.org/html/rfc6750"><cite>The OAuth 2.0 Authorization Framework: Bearer Token Usage</cite></a>. M. Jones; D. Hardt.  IETF. October 2012. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc6750">https://tools.ietf.org/html/rfc6750</a></dd><dt id="bib-rfc7009">[RFC7009]</dt><dd><a href="https://tools.ietf.org/html/rfc7009"><cite>OAuth 2.0 Token Revocation</cite></a>. T. Lodderstedt, Ed.; S. Dronia; M. Scurtescu.  IETF. August 2013. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7009">https://tools.ietf.org/html/rfc7009</a></dd><dt id="bib-rfc7159">[RFC7159]</dt><dd><a href="https://tools.ietf.org/html/rfc7159"><cite>The JavaScript Object Notation (JSON) Data Interchange Format</cite></a>. T. Bray, Ed..  IETF. March 2014. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7159">https://tools.ietf.org/html/rfc7159</a></dd><dt id="bib-rfc7231">[RFC7231]</dt><dd><a href="https://httpwg.org/specs/rfc7231.html"><cite>Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</cite></a>. R. Fielding, Ed.; J. Reschke, Ed..  IETF. June 2014. Proposed Standard. URL: <a href="https://httpwg.org/specs/rfc7231.html">https://httpwg.org/specs/rfc7231.html</a></dd><dt id="bib-rfc8288">[RFC8288]</dt><dd><a href="https://httpwg.org/specs/rfc8288.html"><cite>Web Linking</cite></a>. M. Nottingham.  IETF. October 2017. Proposed Standard. URL: <a href="https://httpwg.org/specs/rfc8288.html">https://httpwg.org/specs/rfc8288.html</a></dd><dt id="bib-url">[URL]</dt><dd><a href="https://url.spec.whatwg.org/"><cite>URL Standard</cite></a>. Anne van Kesteren.  WHATWG. Living Standard. URL: <a href="https://url.spec.whatwg.org/">https://url.spec.whatwg.org/</a></dd>
+      <dt id="bib-fetch">[Fetch]</dt><dd><a href="https://fetch.spec.whatwg.org/"><cite>Fetch Standard</cite></a>. Anne van Kesteren.  WHATWG. Living Standard. URL: <a href="https://fetch.spec.whatwg.org/">https://fetch.spec.whatwg.org/</a></dd><dt id="bib-h-app">[h-app]</dt><dd><a href="https://microformats.org/wiki/h-app"><cite>h-app</cite></a>. Aaron Parecki.  microformats.org. Living Specification. URL: <a href="https://microformats.org/wiki/h-app">https://microformats.org/wiki/h-app</a></dd><dt id="bib-html">[HTML]</dt><dd><a href="https://html.spec.whatwg.org/multipage/"><cite>HTML Standard</cite></a>. Anne van Kesteren; Domenic Denicola; Ian Hickson; Philip Jägenstedt; Simon Pieters.  WHATWG. Living Standard. URL: <a href="https://html.spec.whatwg.org/multipage/">https://html.spec.whatwg.org/multipage/</a></dd><dt id="bib-rfc2119">[RFC2119]</dt><dd><a href="https://tools.ietf.org/html/rfc2119"><cite>Key words for use in RFCs to Indicate Requirement Levels</cite></a>. S. Bradner.  IETF. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a></dd><dt id="bib-rfc6749">[RFC6749]</dt><dd><a href="https://tools.ietf.org/html/rfc6749"><cite>The OAuth 2.0 Authorization Framework</cite></a>. D. Hardt, Ed..  IETF. October 2012. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc6749">https://tools.ietf.org/html/rfc6749</a></dd><dt id="bib-rfc6750">[RFC6750]</dt><dd><a href="https://tools.ietf.org/html/rfc6750"><cite>The OAuth 2.0 Authorization Framework: Bearer Token Usage</cite></a>. M. Jones; D. Hardt.  IETF. October 2012. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc6750">https://tools.ietf.org/html/rfc6750</a></dd><dt id="bib-rfc7009">[RFC7009]</dt><dd><a href="https://tools.ietf.org/html/rfc7009"><cite>OAuth 2.0 Token Revocation</cite></a>. T. Lodderstedt, Ed.; S. Dronia; M. Scurtescu.  IETF. August 2013. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7009">https://tools.ietf.org/html/rfc7009</a></dd><dt id="bib-rfc7159">[RFC7159]</dt><dd><a href="https://tools.ietf.org/html/rfc7159"><cite>The JavaScript Object Notation (JSON) Data Interchange Format</cite></a>. T. Bray, Ed..  IETF. March 2014. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7159">https://tools.ietf.org/html/rfc7159</a></dd><dt id="bib-rfc7231">[RFC7231]</dt><dd><a href="https://httpwg.org/specs/rfc7231.html"><cite>Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</cite></a>. R. Fielding, Ed.; J. Reschke, Ed..  IETF. June 2014. Proposed Standard. URL: <a href="https://httpwg.org/specs/rfc7231.html">https://httpwg.org/specs/rfc7231.html</a></dd><dt id="bib-rfc7636">[RFC7636]</dt><dd><a href="https://tools.ietf.org/html/rfc7636"><cite>Proof Key for Code Exchange by OAuth Public Clients</cite></a>. N. Sakimura, Ed.; J. Bradley; N. Agarwal.  IETF. September 2015. Proposed Standard. URL: <a href="https://tools.ietf.org/html/rfc7636">https://tools.ietf.org/html/rfc7636</a></dd><dt id="bib-rfc8288">[RFC8288]</dt><dd><a href="https://httpwg.org/specs/rfc8288.html"><cite>Web Linking</cite></a>. M. Nottingham.  IETF. October 2017. Proposed Standard. URL: <a href="https://httpwg.org/specs/rfc8288.html">https://httpwg.org/specs/rfc8288.html</a></dd><dt id="bib-url">[URL]</dt><dd><a href="https://url.spec.whatwg.org/"><cite>URL Standard</cite></a>. Anne van Kesteren.  WHATWG. Living Standard. URL: <a href="https://url.spec.whatwg.org/">https://url.spec.whatwg.org/</a></dd>
     </dl></section><section id="informative-references">
       <h3 id="d-2-informative-references"><bdi class="secno">D.2 </bdi>
         Informative references