Add some sort of wildcard support and I think this looks good. EHL
From: [email protected] [mailto:[email protected]] On Behalf Of Manger, James H Sent: Thursday, May 06, 2010 4:58 PM To: OAuth WG Subject: [OAUTH-WG] Indicating sites where a token is valid The OAuth2 protocol does not indicate where a token can be used. It needs to do so because if a client app sends a token to the wrong site it destroys the security. I suggest another field in the JSON token response: "sites": ["https://api.example.com";, "http://photo.example.com:8080";] It would be a list of sites where the token can be used, specified by scheme://host[:port]. The default value for the “sites” field could be the token endpoint site (or the authorization endpoint site if a token endpoint isn’t used). For instance, if Facebook’s new API uses https://graph.facebook.com for all resources, tokens, and authorizations it could omit the “sites” field. P.S. I suggested this last month http://www.ietf.org/mail-archive/web/oauth/current/msg01920.html, though I mixed in additional ideas for formats and media type that are probable best covered in their own treads. -- James Manger
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
