Mike, thanks for drafting and publishing these specifications. I have a
couple of questions regarding the draft-jones-oauth-resource-metadata-00.
1. Is a "protected resource" a server? or an actual API endpoint. The
non-normative examples use /.well-known/oauth-protected-resource and
/resource1/.well-known/oauth-protected-resource which is a little
unclear. I think of "resource" as something like "Mail" or "Instant
Messaging".
2. Assuming that "protected resource" means an actual API endpoint, what
is the expected location of the metadata for a fully REST compliant API
where the full URL points to a specific resource and not the concept of
a general API.
Using an example of an IdP that supports user management
capabilities. Let's assume the IdP supports a REST API of...
CREATE -- POST https://idp.example.com/tenant/<tenantid>/users
READ -- GET
https://idp.example.com/tenant/<tenantid>/users/<userid>
UPDATE --
PUThttps://idp.example.com/tenant/<tenantid>/users/<userid>
DELETE --
DELETEhttps://idp.example.com/tenant/<tenantid>/users/<userid>
Assuming there are 3 tenants (tenantA, tenantB, tenantB) and lots of
users. Where does the .well-known/oauth-protected-resource get added?
??
https://idp.example.com/tenant/tenantA/users/1232234/.well-known/oauth-protected-resource
In this case would not the oauth-protected-resource metadata be
duplicated across the set of tenants and users? Is that the desired
behavior?
Thanks,
George
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
