This is half baked but I wanted to get people's reaction:

Clients tries accessing a resource with or without an access token:

  GET /resource/1 HTTP/1.1
  Host: server.example.com

The server replies with:

  HTTP/1.1 401 Unauthorized
  WWW-Authenticate: OAuth realm='example'

Clients requests an access token (using the client credentials flow) and
includes the requested realm (line breaks for display purposes):

  POST /access_token HTTP/1.1
  Host: server.example.com
  
  client_id=s6BhdRkqt3&client_secret=8eSEIpnqmM&
  mode=flow_client&realm=example

The server issues a access token capable of accessing the resource realm.

This means one new parameter on the request side which is already baked into
the 401 response in a standard way.

Thoughts?

EHL

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to