Hi Logan, It's not the Client but the Resource Server that serves resources.
The Authorization Server does not need to know whether the resources specified by the `resource` request parameter actually exist on the Resource Server. This is because it is the Resource Server, not the Authorization Server, that ultimately checks whether the accessed resource is listed in the `aud` array of the access token. Please see this diagram for "Audience-Restricted Access Token": https://www.authlete.com/img/developers/api_protection/audience_restricted_access_token.png Best Regards, Taka at Authlete On Wed, Dec 10, 2025 at 2:18 AM Logan Widick <[email protected]> wrote: > RFC 8707 (Resource Indicators) added a "resource" parameter to > authorization requests and token requests to indicate the resources that > the access token is going to be used to access. However, I cannot find a > corresponding parameter in the client registration metadata to indicate > which resources that a client serves. How would an authorization server > know how to adjust the issued access tokens for the resources indicated > (e.g. client_ids to put in the "aud" claim)? > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- *Takahiko Kawasaki* Co-Founder [email protected] [image: Authlete] authlete.com <https://www.authlete.com/> |Linkedin <https://www.linkedin.com/company/authlete/>
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
