Alastair,
My (strong) opinion is that the terms "resource owner" and "end user"
are not interchangeable.
In the interest of extensibility, we should foresee a situation that
will involve more than one end users, of which some may not necessarily
be resource owners. In fact, I would prefer not define end user as a
"human resource owner."
But given that end user is defined so, it implies that there are
non-human resource owners, and so end users, as defined, form a subset
of resource owners.
I think that it is the common understanding that there ought to be
non-human resource owners. For instance, a process can create and,
subsequently, grant access to its resources. (I think this will be the
standard practice in cloud computing.)
Igor
Alastair Mair wrote:
In the current draft spec section 1.2 on terminology the definition of resource owner is "An
entity capable of granting access to a protected resource" and end user is "A human
resource owner"
In section 4.1.2 "Resource owner Password credentials" it talks of supplying
the resource owner's username and password. However the text below talks of the server
validating the end-user credentials which is slightly confusing.
I note that the initial draft (draft 1) defined resource owner as "an entity
(generally an end-user)..." So, is the intention that resource owner and end-user
are effectively synonymous?
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth