Torsten, >> This example illustrates that OAuth2 discovery needs to let a service >> explicitly indicate whether a direct and/or user-delegation flow is required. >> For instance, a "WWW-Authenticate: OAuth2" response could define 2 >> parameters: >> 'user-uri' and 'token-uri'. If only one is present, only the corresponding >> mode >> is useful in this interaction.
> In my opinion, this decision is up to the authorization server and not > the resource server. Or should both be possible? What do you think? Theoretically, the decision should probably be up to the authorization server. In practise, however, the decision should be *delivered* from the resource server. It is resources that apps are ultimately interested in. It is at a resource where an app should start (unless it can skip some steps by using some service-specific knowledge). Consequently, delivering the decision from the resource server is more efficient. It avoids an extra step (resource server -> authz server -> answer). Separating the authorization server from resource servers is useful for restricting the exposure of long-term secrets. It is not necessary, however, for the delivery of discovery information. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
