Am 09.05.2010 16:39, schrieb Manger, James H:
Torsten,
Thanks for your analysis.
1) Resource server controls token sites (context of the realm attribute)
2) Authorization server controls token sites (context of token)
In my opinion, (1) improves security and eases the practicability of OAuth2 in
scenarios with multiple sites and (2) is a significant security improvement. I
think, both scenarios should be addressed by the WG.
Scenario 1 is basically how HTTP Digest works -- using a "domains" param, which
is a list of URI prefixes.
If a resource server is delegating to an authz server, it may as well also rely on the
authz server to indicate "realm" values that are equivalent across multiple
resource servers.
That is, I think it is useful to return "sites" and "realm" values in a token response
from an authz server, but that it is not necessary to return "sites" in a 401 resource server
response in OAuth.
One resource server may well not know about all the other resource servers.
--
James Manger
So you suggest to return "sites" from the authz server only?
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
