Hi, Are there any drafts that discuss the notion of an RS acting as a client? I'm considering the use case whereby a native mobile app obtains an access token and sends it to the RS, and then the RS uses it to access the UserInfo endpoint on an OP.
It's a bearer token so no reason it wouldn't work, but obviously it is meant to be presented by the client and not the RS. Curious to understand the security implications of this, read on any thoughts given to this, or to know if it's an otherwise accepted practice. tx adam
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
