Yeah ... seems like OAuth is definitely suited for different resource services - as written, scope takes care of that. For instance Facebook offers messages, photos, and a bunch of other services, across two different APIs (the Graph and REST) and we distinguish permissions using scope.
As others have asked, why can't you just have a bunch of different scopes like read_mail, read_webstorage, read_phone, etc? On Jul 14, 2010, at 10:54 PM, Ivan Pulleyn wrote: On Wed, Jul 14, 2010 at 10:49 PM, Torsten Lodderstedt <tors...@lodderstedt.net<mailto:tors...@lodderstedt.net>> wrote: Did I get you right? Your answer is: Oauth is not suited for deployments with different resource servers which rely in a single authz server? I don't know why you categorize this as "complex". Is it so unusual to have let's say mail, webstorage, telephony, and payment services? At Deutsche Telekom, we operate such a deployment (with much more different resource servers) and I had hoped to move our token service towards OAuth v2. So would you recommend me zo stick to our proprietary protocol? I'm confused why scope isn't sufficient for your needs. Ivan... _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth