This is half baked but I wanted to get people's reaction: Clients tries accessing a resource with or without an access token:
GET /resource/1 HTTP/1.1 Host: server.example.com The server replies with: HTTP/1.1 401 Unauthorized WWW-Authenticate: OAuth realm='example' Clients requests an access token (using the client credentials flow) and includes the requested realm (line breaks for display purposes): POST /access_token HTTP/1.1 Host: server.example.com client_id=s6BhdRkqt3&client_secret=8eSEIpnqmM& mode=flow_client&realm=example The server issues a access token capable of accessing the resource realm. This means one new parameter on the request side which is already baked into the 401 response in a standard way. Thoughts? EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth