RE: Possible discrepancy in OAuth extension - scope encoding in token validation request

Tue, 01 Nov 2011 07:46:08 -0700 

Hi John!

Then I got you right the first time.
When it comes to the API between the Authorization server and the Resource 
server it is outside of the scope of the OAuth 2 spec. Here is a quote:

"1.1.  Roles

   OAuth defines four roles:

   resource owner
      An entity capable of granting access to a protected resource (e.g.
      end-user).
   resource server
      The server hosting the protected resources, capable of accepting
      and responding to protected resource requests using access tokens.
   client
      An application making protected resource requests on behalf of the
      resource owner and with its authorization.
   authorization server
      The server issuing access tokens to the client after successfully
      authenticating the resource owner and obtaining authorization.

   The interaction between the authorization server and resource server
   is beyond the scope of this specification.  The authorization server
   may be the same server as the resource server or a separate entity.
   A single authorization server may issue access tokens accepted by
   multiple resource servers."


Having that said in Restlet the interfaces are designed in a way so that you 
should use them and not care about the wire protocol.
If there is only a very small adjustment we could think about aligning with the 
Spring implementation as long nothing else is breaking.

Could you send me more information to my mail if you want it look at on our 
side? I would need a wireshark trace on how Spring RS talks to a Spring AS to 
determine if we could align. And also maybe some pointers how you configure the 
server.

Just as a note the intended way for interoperability is between the web client 
and the authorization server. There are also pointers on where to put the 
token, so also client to resource server is specified. But this one in general 
you would not be able to match RS and AS. 

This group is the only one I know that is trying to actively push for a 
standard.
http://kantarainitiative.org/confluence/display/uma/Home

BR Stoffe

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2870505

Reply via email to