> So, let’s say there is an Authorization Server available at http://as.com and > it protects the http://foo.com and http://bar.com resources.
> A client requests http://foo.com. The foo.com server responds with a > WWW-Auth that contains the http://as.com URI. The client then sends an access > token request to http://as.com. Is that right? > If so, then how does http://as.com know that the intended resource is > http://foo.com? Foo.com should point the client at, say, http://as.com/foo/ or http://foo.as.com/ or http://as.com/?scope=foo or http://as.com/?encrypted_resource_id=273648264287642 or whatever it has agreed to with its AS. The WWW-Auth response from foo.com should not be just http://as.com. Foo is much better placed to know it shares as.com with Bar than a client is. -- James Manger
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
