On Thu, Feb 25, 2016 at 4:25 PM George Fletcher <gffle...@aol.com> wrote:
> Interesting... this is not at all my current experience:) If a RS goes > from v2 of it's API to v3 and that RS uses the current standard of putting > a "v2" or"v3" in it's API path... then a token issued for v2 of the API can > not be sent to v3 of the API, because v3 wasn't wasn't registered/deployed > when the token was issued. > Add to that: - "restful" APIs have a lot of "endpoints" related to a single scope - I know at least one AS that doesn't require RSs to register (I wonder how it all works, and whether it's really secure –I hope so, given the known RSs–, but that's how it is): documentation can be found (in French) at https://doc.integ01.dev-franceconnect.fr/ (or https://integ01.dev-franceconnect.fr/ if the previous URL doesn't work for you, they have DNS configuration issues) - even UMA doesn't register "resources" themselves, but only "resource sets", and it doesn't even require a) an URI for the resource set, or b) any "relationship" between the resource set URI (if any) and the URIs of the resources "in" the resource set: https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html > The constant management of scopes to URI endpoints seems like a complexity > that will quickly get out of hand. > +1
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
