Re: [OAUTH-WG] Issue: Scope parameter

Sat, 17 Apr 2010 05:39:17 -0700 

Am 17.04.2010 14:30, schrieb Manger, James H:


> authz-uri=http://as.com
> realm=foo
>
> What do you think?


I can’t see any benefit in making the client app combine the realm and 
authz-uri, over the server just returning an authz-uri with that 
information already included (in whatever concise form it wants).



Matching realm values allows a client to recognize when the same 
credential (eg token) can be used. This might preclude realm values 
differing between Foo and Bar services that can accept the same tokens.





How shall the client recognize if the same token can be used for Foo and 
Bar? Realm would be an option-


regards,
Torsten.


--

James Manger

*From:* Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
*Sent:* Saturday, 17 April 2010 6:48 PM
*To:* Manger, James H
*Cc:* Justin Smith; OAuth WG
*Subject:* Re: [OAUTH-WG] Issue: Scope parameter


in a recent discussion, another proposal was to use the realm 
attribute of the WWW-Authenticate header to indicate the scope


So in your example the header would include two attributes
authz-uri=http://as.com
realm=foo

What do you think?

regards,
Torsten.

Am 16.04.2010 06:43, schrieb Manger, James H:


> So, let’s say there is an Authorization Server available at 
http://as.com and it protects the http://foo.com and http://bar.com 
resources.



> A client requests http://foo.com. The foo.com server responds with a 
WWW-Auth that contains the http://as.com URI. The client then sends an 
access token request to http://as.com. Is that right?



> If so, then how does http://as.com know that the intended resource is 
http://foo.com?



Foo.com should point the client at, say, http://as.com/foo/ or 
http://foo.as.com/ or http://as.com/?scope=foo or 
http://as.com/?encrypted_resource_id=273648264287642 or whatever it 
has agreed to with its AS.


The WWW-Auth response from foo.com should not be just http://as.com.


Foo is much better placed to know it shares as.com with Bar than a 
client is.


--

James Manger


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

   



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth























					Reply via email to