On Sat, Jul 21, 2018 at 12:49 PM, Torsten Lodderstedt < tors...@lodderstedt.net> wrote:
> Hi Dick, > > Am 19.07.2018 um 15:46 schrieb Dick Hardt <dick.ha...@gmail.com>: > > I think any scenario with multiple resource servers relying on the same AS >> for authorization where the client acts on behalf of the resource owner >> qualifies for grant type code and distributed OAuth. >> >> Let’s assume a user wants to authorize a client for access to her cloud >> storage, email account and contacts when setting app the respective app. >> > > Would you walk me through the user experience that happened for the client > to do discovery on these three resources? In other words, what did the user > do to get the client to call the resource and get back the 401 response? > > > I would assume the user enters the URLs or identifies the respective > service providers in the app (e.g. by entering her email address). The > client then sends an initial request as described in your draft and gets > back the 401. > Entering in an email address that resolves to a resource makes sense. It would seem that even if this was email, calendar etc. -- that those would be different scopes for the same AS, not even different resources. That is how all of Google, Microsoft work today. It seems improbable that an end user is going to post multiple resource end points. But I'm interested if you can present such a use case. > > Doing so for several resources will give the client the AS URL for all > involved resources. If the client compares the iss claims it will figure > our all resources are protected by the same AS and can authorize access via > a single authz code grant flow. > Today, if you had a Google hosted email and a Microsoft hosted email, you would have different AS. Do you have another example? > > kind regards, > Torsten. >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
