Isn't this taken care of by the scope? I assume the requested scope is associated with the issued access token.
It is up to the sites accepting the access tokens (the protected resources) to verify and enforce the scope. Marius On Thu, May 6, 2010 at 4:57 PM, Manger, James H <james.h.man...@team.telstra.com> wrote: > The OAuth2 protocol does not indicate where a token can be used. > > It needs to do so because if a client app sends a token to the wrong site it > destroys the security. > > > > I suggest another field in the JSON token response: > > "sites": ["https://api.example.com";, "http://photo.example.com:8080";] > > > > It would be a list of sites where the token can be used, specified by > scheme://host[:port]. > > > > The default value for the “sites” field could be the token endpoint site (or > the authorization endpoint site if a token endpoint isn’t used). > > For instance, if Facebook’s new API uses https://graph.facebook.com for all > resources, tokens, and authorizations it could omit the “sites” field. > > > > > > P.S. I suggested this last month > http://www.ietf.org/mail-archive/web/oauth/current/msg01920.html, though I > mixed in additional ideas for formats and media type that are probable best > covered in their own treads. > > > > > > -- > > James Manger > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
