Re: [OAUTH-WG] Comments on draft-jones-oauth-resource-metadata-00

Sat, 12 Nov 2016 21:32:39 -0800 

Hi Mike,
just read your spec and I'm also a bit confused about the "resource" meta data element in section 2. 


I would assume the metadata are provided for a certain resource server 
managing a set of resources in a particular administrative domain. So I 
would prefer to name the respective element "resource_server". In the 
example George gave the URL would be 
"https://idp.example.com/tenant/<tenantid>/". Resource managed by a 
particular resource server could use sub-paths of the respective URL, 
such as " https://idp.example.com/tenant/<tenantid>/users/<userid>".


best regards,
Torsten.

Am 05.08.2016 um 02:10 schrieb George Fletcher:

Mike, thanks for drafting and publishing these specifications. I have 
a couple of questions regarding the 
draft-jones-oauth-resource-metadata-00.



1. Is a "protected resource" a server? or an actual API endpoint. The 
non-normative examples use /.well-known/oauth-protected-resource and 
/resource1/.well-known/oauth-protected-resource which is a little 
unclear. I think of "resource" as something like "Mail" or "Instant 
Messaging".



2. Assuming that "protected resource" means an actual API endpoint, 
what is the expected location of the metadata for a fully REST 
compliant API where the full URL points to a specific resource and not 
the concept of a general API.


    Using an example of an IdP that supports user management
    capabilities. Let's assume the IdP supports a REST API of...

        CREATE -- POST https://idp.example.com/tenant/<tenantid>/users
        READ -- GET
    https://idp.example.com/tenant/<tenantid>/users/<userid>
        UPDATE --
    PUThttps://idp.example.com/tenant/<tenantid>/users/<userid>
        DELETE --
    DELETEhttps://idp.example.com/tenant/<tenantid>/users/<userid>

    Assuming there are 3 tenants (tenantA, tenantB, tenantB) and lots
    of users. Where does the .well-known/oauth-protected-resource get
    added?

       ??
    
https://idp.example.com/tenant/tenantA/users/1232234/.well-known/oauth-protected-resource

    In this case would not the oauth-protected-resource metadata be
    duplicated across the set of tenants and users? Is that the
    desired behavior?

Thanks,
George


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth






















					Reply via email to