in a recent discussion, another proposal was to use the realm attribute
of the WWW-Authenticate header to indicate the scope
So in your example the header would include two attributes
authz-uri=http://as.com
realm=foo
What do you think?
regards,
Torsten.
Am 16.04.2010 06:43, schrieb Manger, James H:
> So, let’s say there is an Authorization Server available at
http://as.com and it protects the http://foo.com and http://bar.com
resources.
> A client requests http://foo.com. The foo.com server responds with a
WWW-Auth that contains the http://as.com URI. The client then sends an
access token request to http://as.com. Is that right?
> If so, then how does http://as.com know that the intended resource is
http://foo.com?
Foo.com should point the client at, say, http://as.com/foo/ or
http://foo.as.com/ or http://as.com/?scope=foo or
http://as.com/?encrypted_resource_id=273648264287642 or whatever it
has agreed to with its AS.
The WWW-Auth response from foo.com should not be just http://as.com.
Foo is much better placed to know it shares as.com with Bar than a
client is.
--
James Manger
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
