Hi Adam,
If all the RS needs is say the "sub" field for the user, then you might
want to look at the introspection spec as this allows the AS/OP to
determine if the RS is "authorized" to introspect the token.
I know that Justin implemented a simple token exchange model that
allowed for downstream chaining.
Another thing to consider is scope issues. Does the token the native app
received have more scopes than the RS should be able to leverage? Is so,
the native app should downscope the access token before sending it to
the RS.
Thanks,
George
On 8/12/15 1:01 PM, Adam Lewis wrote:
Hi,
Are there any drafts that discuss the notion of an RS acting as a
client? I'm considering the use case whereby a native mobile app
obtains an access token and sends it to the RS, and then the RS uses
it to access the UserInfo endpoint on an OP.
It's a bearer token so no reason it wouldn't work, but obviously it is
meant to be presented by the client and not the RS. Curious to
understand the security implications of this, read on any thoughts
given to this, or to know if it's an otherwise accepted practice.
tx
adam
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
