Presumably, the realm was used to discover the token issuance endpoints. Why wouldn't the discovered URL of the access token endpoint dictate realm, and why can't the realm then be implicit beyond discovery?
-----Original Message----- From: Eran Hammer-Lahav <e...@hueniverse.com> To: OAuth WG <oauth@ietf.org> Subject: [OAUTH-WG] Scope using Realm idea Date: Fri, 2 Apr 2010 09:18:36 -0700 This is half baked but I wanted to get people's reaction: Clients tries accessing a resource with or without an access token: GET /resource/1 HTTP/1.1 Host: server.example.com The server replies with: HTTP/1.1 401 Unauthorized WWW-Authenticate: OAuth realm='example' Clients requests an access token (using the client credentials flow) and includes the requested realm (line breaks for display purposes): POST /access_token HTTP/1.1 Host: server.example.com client_id=s6BhdRkqt3&client_secret=8eSEIpnqmM& mode=flow_client&realm=example The server issues a access token capable of accessing the resource realm. This means one new parameter on the request side which is already baked into the 401 response in a standard way. Thoughts? EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
