Hi John! Then I got you right the first time. When it comes to the API between the Authorization server and the Resource server it is outside of the scope of the OAuth 2 spec. Here is a quote:
"1.1. Roles OAuth defines four roles: resource owner An entity capable of granting access to a protected resource (e.g. end-user). resource server The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens. client An application making protected resource requests on behalf of the resource owner and with its authorization. authorization server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization. The interaction between the authorization server and resource server is beyond the scope of this specification. The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers." Having that said in Restlet the interfaces are designed in a way so that you should use them and not care about the wire protocol. If there is only a very small adjustment we could think about aligning with the Spring implementation as long nothing else is breaking. Could you send me more information to my mail if you want it look at on our side? I would need a wireshark trace on how Spring RS talks to a Spring AS to determine if we could align. And also maybe some pointers how you configure the server. Just as a note the intended way for interoperability is between the web client and the authorization server. There are also pointers on where to put the token, so also client to resource server is specified. But this one in general you would not be able to match RS and AS. This group is the only one I know that is trying to actively push for a standard. http://kantarainitiative.org/confluence/display/uma/Home BR Stoffe ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2870505