> authz-uri=http://as.com > realm=foo > > What do you think?
I can’t see any benefit in making the client app combine the realm and authz-uri, over the server just returning an authz-uri with that information already included (in whatever concise form it wants). Matching realm values allows a client to recognize when the same credential (eg token) can be used. This might preclude realm values differing between Foo and Bar services that can accept the same tokens. -- James Manger From: Torsten Lodderstedt [mailto:[email protected]] Sent: Saturday, 17 April 2010 6:48 PM To: Manger, James H Cc: Justin Smith; OAuth WG Subject: Re: [OAUTH-WG] Issue: Scope parameter in a recent discussion, another proposal was to use the realm attribute of the WWW-Authenticate header to indicate the scope So in your example the header would include two attributes authz-uri=http://as.com realm=foo What do you think? regards, Torsten. Am 16.04.2010 06:43, schrieb Manger, James H: > So, let’s say there is an Authorization Server available at http://as.com and > it protects the http://foo.com and http://bar.com resources. > A client requests http://foo.com. The foo.com server responds with a > WWW-Auth that contains the http://as.com URI. The client then sends an access > token request to http://as.com. Is that right? > If so, then how does http://as.com know that the intended resource is > http://foo.com? Foo.com should point the client at, say, http://as.com/foo/ or http://foo.as.com/ or http://as.com/?scope=foo or http://as.com/?encrypted_resource_id=273648264287642 or whatever it has agreed to with its AS. The WWW-Auth response from foo.com should not be just http://as.com. Foo is much better placed to know it shares as.com with Bar than a client is. -- James Manger
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
