I have a question concerning the OAuth philosophy: How many resource
servers may be managed by a single OAuth authorization server? (a) A
single resource server or (b) several of them exposing different
resource types?
If the answer is (b) then how is a particular resource server identified
in the protocol? Clients have Ids, end-users as well (at least in a
future protocol extension), but what about resource server Ids?
I think resource servers must be identifiable in multi-server
deployments for several reasons:
- Interpretation of the scope parameter should be resource server
specific - "read" may have different meanings in mail and address book
- An authorization server probably wants to apply server-specific
security policy, e.g. different access token durations
- It will be possible to create special tokens per server
I think we should introduce a resource server id in the authz and access
token request.
Any thoughts?
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
