> >> In my opinion, this decision is up to the authorization server and not >> the resource server. Or should both be possible? What do you think? > > Theoretically, the decision should probably be up to the authorization server. > In practise, however, the decision should be *delivered* from the resource > server. > > It is resources that apps are ultimately interested in. > It is at a resource where an app should start > (unless it can skip some steps by using some service-specific knowledge). > Consequently, delivering the decision from the resource server is more > efficient. > It avoids an extra step (resource server -> authz server -> answer). > > Separating the authorization server from resource servers is useful for > restricting the exposure of long-term secrets. It is not necessary, however, > for the delivery of discovery information. > > -- > James
So your idea is to use the resource server as discovery Proxy of the authz server? Interesting idea! Would you mind to contribute it to the "Discovery Requirements" thread? Regards, Torsten. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
