On Thu, Apr 15, 2010 at 9:31 PM, Justin Smith <[email protected]> wrote: > Great. > > > > So, let’s say there is an Authorization Server available at http://as.com > and it protects the http://foo.com and http://bar.com resources. > > > > A client requests http://foo.com. The foo.com server responds with a > WWW-Auth that contains the http://as.com URI. The client then sends an > access token request to http://as.com. Is that right?
I think James is suggesting that WWW-Auth will contain something like http://as.com?scope=foo.com If that's the case, the scope is basically a custom parameter. Also, this assumes that protected resources are simple URLs that can be fetched. In many cases the protected resource is some API and this API will require specific scopes depending on the context (actual user, operation, etc). So a 401 may not be able to specify exactly what scope is needed. The client programmer will have to understand the API and provide proper scopes. Marius _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
