So, in thinking about all this AS restricting tokens to RS and
"discovery" of RS endpoints, etc. I wondered why we don't just leverage
RS metadata like we have AS metadata.
For an AS we require an 'iss' claim to use as an identifier of the AS.
We could do the same with RS metadata retrieving the metadata from a
.well-known location and including a claim of 'rsid' to use as an
identifier of the Resource Server.
This 'rsid' identifier could then be used for registration with the AS
and presentation by the client when requesting tokens.
This provides a separation between an identifier for a resource and the
specific endpoints the token will be sent to. A client could "discover"
the necessary endpoint on a periodic basis and use a single identifier
with the AS for any of the endpoints or scopes supported by the RS. If
desired the RS could expose the supported scopes in the RS metadata file.
Thoughts?
Thanks,
George
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
