Update OAuth Section

[jischr]

Update OAuth section for Clarity and to remove reference to OPRM.

[jischr]

Alternative option to the ascii drawing would be to replace with the text below (or similar). Both accomplish my goal of clarity on the mapping of OAuth roles to SSF Roles. @thomasdarimont what do you think would be most useful to a reader?

## OAuth Support

This profile requires OAuth 2.0 {{RFC6749}} support. The following roles apply:

* Client: the SSF Receiver
* Resource Server: the SSF Transmitter
* Authorization Server: a service trusted by the SSF Transmitter

[thomasdarimont]

I think the classification is sufficient. Perhaps we can find a more precise description for "a service trusted by the SSF Transmitter", e.g.: "Authorization Server: the OAuth 2.0 Authorization Server that issues access tokens accepted by the SSF Transmitter endpoints."

[thomasdarimont]

@ysarig75 > Do you expect the OPRM URL to be https:///.well-known/oauth-protected-resource?
No, in your case https://somehost/.well-known/ssf-configuration/ssf/subscribers/5134159e-4fc8-48e2-8718-540d7f54ee56, I'd expect the issuer URL to be https://somehost/ssf/subscribers/5134159e-4fc8-48e2-8718-540d7f54ee56.
Given that I expect to be able to derive the ORPM metadata URL as https://somehost/.well-known/oauth-protected-resource/ssf/subscribers/5134159e-4fc8-48e2-8718-540d7f54ee56

In the wild I have seen the following variants
Variant 1. Issuer without path: https://subdomain.acme.test

• SSF Metadata URL: https://subdomain.acme.test/.well-known/ssf-configuration
• OPRM Metadata URL: https://subdomain.acme.test/.well-known/oauth-protected-resource

Variant 2. Issuer with path: https://acme.test/my/path

• SSF Metadata URL: https://acme.test/.well-known/ssf-configuration/my/path
• For SSF Metadata URL, we append the custom path to the /.well-known/ssf-configuration
  This is defined here: https://openid.github.io/sharedsignals/openid-sharedsignals-framework-1_0.html#section-7.2.1

OPRM Metadata URL: https://acme.test/.well-known/oauth-protected-resource/my/path

For the OPRM metadata URL, we append the custom path to the /.well-known/oauth-protected-resource prefix according to https://datatracker.ietf.org/doc/html/rfc9728#section-3.1

If we follow this pattern, we can derive the oauth auth server to use the following way:

1. Starting from the issuer URL https://acme.test/my/path
2. Derive SSF Metadata URL (see if we have an SSF Transmitter) https://acme.test/.well-known/ssf-configuration/my/path
3. Check if the SSF Transmitter exposes OPRM Metadata URL via https://acme.test/.well-known/oauth-protected-resource/my/path
4. If OPRM metadata is present, use "an" authorization server from the authorization_servers if present.

[jischr]

@derrumbe @ysarig75 @thomasdarimont @atultulshi @apoorvadeshpande-okta - please take a look. i've removed reference to OPRM as well as the ascii drawing as discussed

[thomasdarimont]

LGTM