Correct. All your examples match my intention, David. -- James Manger
-----Original Message----- From: David Recordon [mailto:[email protected]] Sent: Tuesday, 11 May 2010 1:46 PM To: Eran Hammer-Lahav Cc: Manger, James H; OAuth WG Subject: Re: [OAUTH-WG] Indicating sites where a token is valid If the sites parameter is not specified, would it default to the domain of the authorization server. If it is specified, then the valid sites are what is explicitly listed. Wildcards would only be supported for subdomains and it would be assumed that any resource on that domain is valid. Thus with the user endpoint being https://graph.facebook.com/oauth/authorize: 1) no sites parameter means the access token is only valid on https://graph.facebook.com/* 2) sites key with a value of ["https://graph.facebook.com/";] means that the access token is only valid on https://graph.facebook.com/* 3) sites key with a value of ["https://*.facebook.com/";] means that https://graph.facebook.com/* and https://www.facebook.com/* would both be valid (among other subdomains) 4) sites key with a value of ["https://graph.facebook.com/";, "https://api.facebook.com/";] means that only https://graph.facebook.com/* and https://api.facebook.com/* would be valid 5) sites key with a value of ["https://api.facebook.com/";] means that the the token isn't valid on https://graph.facebook.com/ even though that's the authorization server Obviously the sites parameter isn't restricted to being on the same domain, just used it that way for these examples. Am I understanding the proposal correctly? Thanks, --David _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
