Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I pushed a few fixes (one typo, on missing f-string f prefix, applied linters, and add a few tests to reach 100% coverage on this module, some documentation fixes).

This PR does not fully implement RFC9728, but I think this is OK for a first step. What is missing:

• Support for resource metadata signature §2 and the signed_metadata claim.
• Registering a protected_resources claim for the authorization server metadata §4. (Implementation can take inspiration from RFC9101).
  • Plus maybe some utility to check the validity of the resource against the Authorization Server §4
• A way for resource_protector to generate proper WWW-Authenticate HTTP headers in responses §5.1. This may require a little bit of design since each resource can have its own metadata endpoint.

It would be nice also if Authlib provided a proper way for Resource Servers to register endpoints, like Authorization Servers do. This also probably requires a bit of design.

@lepture do you want to review?