The OAuth2 protocol does not indicate where a token can be used. It needs to do so because if a client app sends a token to the wrong site it destroys the security.
I suggest another field in the JSON token response: "sites": ["https://api.example.com";, "http://photo.example.com:8080";] It would be a list of sites where the token can be used, specified by scheme://host[:port]. The default value for the “sites” field could be the token endpoint site (or the authorization endpoint site if a token endpoint isn’t used). For instance, if Facebook’s new API uses https://graph.facebook.com for all resources, tokens, and authorizations it could omit the “sites” field. P.S. I suggested this last month http://www.ietf.org/mail-archive/web/oauth/current/msg01920.html, though I mixed in additional ideas for formats and media type that are probable best covered in their own treads. -- James Manger
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
