Mark, > James, how does your proposal work if the client needs access > to more than one set of resources?
I think a client app will need service-specific knowledge to realise it needs access to more than one set of resources (ie the app needs to know how the service divides resources into sets). That service-specific knowledge may as well include the service-specific authz URIs for requesting access to multiple sets of resources. http://as.com/foo,bar/, for instance. If a client with a token for one scope tries to accesses a resource in a second scope, the 401 response could include an authz URI indicating both scopes. -- James Manger _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
