Related to this discussion of AS discovery... what is the value of using
the Link response header over just returning the variables in the
WWW-Authenticate header? Could we not use...
WWW-Authenticate: OAuth realm="example_realm", scope="example_scope",
error="invalid_token", rs_uri="https://api.example.com/resource";,
as_uri="https://as1.example.com,https://as2.example.com";
Thanks,
George
On 11/6/18 12:19 AM, Justin P Richer wrote:
In the meeting tonight I brought up a response to the question of
whether to have full URL or plain issuer for the auth server in the RS
response’s header. My suggestion was that we have two different
parameters to the header to represent the AS: one of them being the
full URL (as_uri) and one of them being the issuer to be constructed
somehow (as_issuer). I ran into a similar problem on a system that I
built last year where all of our servers had discovery documents but
not all of them were easily constructed from an issuer style URL
(using OIDC patterns anyway). So we solved it by having two different
variables. If the full URL was set, we used that; if it wasn’t, we
tried the issuer; if neither was set we didn’t do any discovery.
I’m sensitive to Torsten’s concerns about complexity, but I think this
is a simple and deterministic solution that sidesteps much of the
issue. No pun intended.
— Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
