I noticed the following text in draft-ietf-oauth-v2-02 (section 7 Accessing a Protected Resource):
“Clients SHOULD NOT make authenticated requests with an access token to unfamiliar resource servers, especially when using bearer tokens, regardless of the presence of a secure channel.” A “sites” parameter would allow a client app can tell when it is about to access an “unfamiliar resource server”: an “unfamiliar resource server” is a server not listed in the “sites” parameter (or not the same server as the authorization server if “sites” is absent). Otherwise this “SHOULD NOT” looks pretty hard to test. -- James Manger
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
