The OAuth implementation at Deutsche Telekom uses a non-standard
parameter "serviceId" to identity the protected resource the client
wants to access. The client passes such an id as parameter when
requesting a token. The authorization server knows all services it
issues tokens for. The service id is used to
- constucts the screen for user consent
- create a token with the content required at that particular service.
I would vote for a similar parameter as part of the standard. So far, I
have seen the "scope" parameter that way.
regards,
Torsten.
The way we do this at Yahoo is that the developer must indicate what scopes
they want to access when registering for a client_identifier/secret.
Although we've done it this way for several years, we've gotten plenty of
feedback that client developers want the flexibility to specify the scopes
at user authorization time.
Allen
On 4/1/10 6:59 PM, "Peter Saint-Andre"<[email protected]> wrote:
If that's true, then how does the Authorization Server know what scope
is appropriate at the Protected Resource? Does inclusion of the scope
parameter require a 1:1 mapping between AS and PR, or at least
communication between AS and PR?
Peter
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
