Hi, Martin- I was able to get this working after a little work.
I looked at the part of the draft standard you directed me to, and I agree, it clearly says that the communication between the resource server and the authorization server is not specified. Every other place there the scopes are mentioned though, they say something to the effect of "For encoding information, see Section 3.3." And it looks like that's what the Spring OAuth implementation does when it's trying to de-serialize an AccessToken - it expects the scopes to be serialized as a space-delimited string. So the place we ran into a snag was in creating a handler for the /validate route in the authorization server using the Spring libraries. Our resource server, using Restlet, was sending the AccessToken in a format that Spring didn't expect or understand. The workaround I implemented was to replace Restlet's OAuthAuthorizer with my own revised copy. I would have liked to create a subclass, and override only createValidationRequest(), but unfortunately it's private, and I couldn't find a way to re-implement only a part of the class. So if you are considering revisions, making OAuthAuthorizer.createValidationRequest() protected (or putting AccessToken serialization/deserialization into a separate policy or strategy class?) would simplify this code. Thanks for all you time and effort! -------------------------- John Wismar Alldata Technology 916-478-3296 > -----Original Message----- > From: Martin Svensson [mailto:[email protected]] > Sent: Sunday, January 29, 2012 9:47 AM > To: [email protected] > Subject: RE: Possible discrepancy in OAuth extension - scope encoding in > token validation request > > Hope this issue eventually got solved. In any case we need to document our > flow. I suspect that in the long run defacto standards for the communication > between the authorization server and reseource server will emerge. > Personally I think it is strange that they did not take a shot a standardizing > those interfaces as well > --martin > > ------------------------------------------------------ > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId > =2912722 ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2913033

