If the sites parameter is not specified, would it default to the domain of the authorization server. If it is specified, then the valid sites are what is explicitly listed. Wildcards would only be supported for subdomains and it would be assumed that any resource on that domain is valid.
Thus with the user endpoint being https://graph.facebook.com/oauth/authorize: 1) no sites parameter means the access token is only valid on https://graph.facebook.com/* 2) sites key with a value of ["https://graph.facebook.com/";] means that the access token is only valid on https://graph.facebook.com/* 3) sites key with a value of ["https://*.facebook.com/";] means that https://graph.facebook.com/* and https://www.facebook.com/* would both be valid (among other subdomains) 4) sites key with a value of ["https://graph.facebook.com/";, "https://api.facebook.com/";] means that only https://graph.facebook.com/* and https://api.facebook.com/* would be valid 5) sites key with a value of ["https://api.facebook.com/";] means that the the token isn't valid on https://graph.facebook.com/ even though that's the authorization server Obviously the sites parameter isn't restricted to being on the same domain, just used it that way for these examples. Am I understanding the proposal correctly? Thanks, --David On Sun, May 9, 2010 at 2:29 PM, Eran Hammer-Lahav <[email protected]> wrote: > Add some sort of wildcard support and I think this looks good. > > EHL > > > > From: [email protected] [mailto:[email protected]] On Behalf Of > Manger, James H > Sent: Thursday, May 06, 2010 4:58 PM > To: OAuth WG > Subject: [OAUTH-WG] Indicating sites where a token is valid > > > > The OAuth2 protocol does not indicate where a token can be used. > > It needs to do so because if a client app sends a token to the wrong site it > destroys the security. > > > > I suggest another field in the JSON token response: > > "sites": ["https://api.example.com";, "http://photo.example.com:8080";] > > > > It would be a list of sites where the token can be used, specified by > scheme://host[:port]. > > > > The default value for the “sites” field could be the token endpoint site (or > the authorization endpoint site if a token endpoint isn’t used). > > For instance, if Facebook’s new API uses https://graph.facebook.com for all > resources, tokens, and authorizations it could omit the “sites” field. > > > > > > P.S. I suggested this last month > http://www.ietf.org/mail-archive/web/oauth/current/msg01920.html, though I > mixed in additional ideas for formats and media type that are probable best > covered in their own treads. > > > > > > -- > > James Manger > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
