Hi Devs, I want to secure a set of APIs using OAuth 2.0. Resource server has APIs of type,
X and Y. Client authenticates itself with the authorization server (say resource owner password credentials grant...) and gets an access token. The authorization server has two types of users. (roles) role A role B users of role A should be able to access both the resources X and Y where as users of role B can only access resources of type Y. Authorization is the concern here. How can we pass that info to the resource server ? Since OAuth is a authorization framework, we dont' have to deal with user roles at the resource server, right (correct me if i'm wrong..) ? if so, is the 'scope' parameter in the access token, the correct approach ? thanks, --Pradeep
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev