Spotfire Ideas Portal
When configuring an OAuth2 client in the Spotfire server config GUI, the dialogue will not close unless a Metadata URL is entered.
It is incorrect to require this since the OAuth 2.0 Authorization Framework (RFC 6749) does not require a metadata URL. In fact, RFC 6749 does not mention metadata discovery at all because OAuth2 does not include a built-in discovery mechanism.
As a result of this requirement it's not possible to use the internal OAuth2 provider in data sources such as Snowflake.
With respect to RFC 6749,
OAuth2 Clients Must Be Explicitly Configured
Section 3.2 (Authorization Endpoint) states:
"The authorization endpoint is the endpoint to which the client sends the user-agent to request authorization."
This shows that clients must know the authorization endpoint beforehand, meaning there is no requirement for dynamic discovery via a metadata URL.
Token Endpoint Must Be Explicitly Known
Section 3.3 (Token Endpoint) states:
"The token endpoint is the endpoint to which the client sends the authorization code to obtain an access token."
Again, no mention of metadata discovery—OAuth2 clients must already know this endpoint.
Client Registration Does Not Involve Discovery
Section 4.1 (Client Registration) states:
"Clients must register with the authorization server in order to obtain their client credentials (i.e., client ID and client secret)."
OAuth2 clients get their credentials through manual registration, not through a metadata URL.
RFC 8414 (OAuth 2.0 Authorization Server Metadata) introduces the concept of a metadata URL, but this is not part of the core OAuth2 specification (RFC 6749).
I have raised this previously, but it was incorrectly suggested that this is not in fact a product defect but a enhancement idea. This prevented one customer from making use of their Snowflake internal provider and forced them to use Entra instead.
Kindly correct the oversight and remove the requirement for a metadata URL.