Torsten, Thanks for your analysis.
> 1) Resource server controls token sites (context of the realm attribute) > 2) Authorization server controls token sites (context of token) > In my opinion, (1) improves security and eases the practicability of OAuth2 > in scenarios with multiple sites and (2) is a significant security > improvement. I think, both scenarios should be addressed by the WG. Scenario 1 is basically how HTTP Digest works -- using a "domains" param, which is a list of URI prefixes. If a resource server is delegating to an authz server, it may as well also rely on the authz server to indicate "realm" values that are equivalent across multiple resource servers. That is, I think it is useful to return "sites" and "realm" values in a token response from an authz server, but that it is not necessary to return "sites" in a 401 resource server response in OAuth. One resource server may well not know about all the other resource servers. -- James Manger _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
