Hi Torsten!

Great that you compiled the list on WG items.
IMO there is one item missing and that is to create an optional formal 
interface between the authorization server and the protected resource.
It could increase the productivity of creating the oauth protected web services 
when the auth server can be treated as an off the shelf piece of code.
Then it would be up to the auth server to also provide an number of other 
extension like the discovery, token revocation and other.

The next most important for me is the discovery but here I would rather want to 
tie on to existing technologies that already describe REST resources like WADL.
So that the Oauth discovery metadata just deals with two levels of metadata. 
First being more static information about the oauth server that is authorative 
over the protected resource.
Second would be the endpoint specific authorization data about the resource 
what kind of scopes are required for me to fulfill a successful request. But 
here it needs to be more innovative since it might be a different answer if I 
am trying to do a HTTP GET then what would be needed if I am trying to do a 
HTTP DELETE request on a protected resource.

We are actually trying to experiment with the two different API for auth server 
<-> protected resource IF and for resource discovery to get hands on experience 
on how they could look like.
So if other sees the same value we would be happy to collaborate and try to 
contribute it becoming something agreed upon within this WG.
The good part is that all of our experiments are shared in open source so 
others could also join in and we do not have any strong opinion that it has to 
be solved our way.

BR Kristoffer

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to