Hi, OAuth 1.0a has OAuth Echo which is Identity Verification Delegation Extenison. On OAuth 2.0 specs, MAC token may enable the same delegation flow, but Client must not pass Delegator bearer token. The separation of Access Token will solve this problem.
Moreover, I think that client must obtain the permission to access the 3rd party's data by the user. So, I propose the enhanced OAuth Echo. ========================================================================= Abstruct of Proposal: This extension allows the client to access the resources of other client. Added Terminology - External Resource Server(ERS) Obtaining Authorization - The client adds scope of accessing to ERS - AuthZ Server must verify the scope (by Registory or discovery ERS(TBD)) Issuing an Access Token - AuthZ Server adds ERS access_token to response Accessing Protected Resources - Client use ERS access_token to access ERS data - ERS sends the token to AuthZ Server's delegation endpoint - AuthZ Server returns the user identifier and client data(name,URL etc...) - ERS processes the request ======================================================================= In Twitter OAuth, it has a lot of Client that uses only the user identifier. When the Client behaves as ERS, they can provide the own resources easily without implementing the AuthZ Server. Actually, is there Client that needs such the use case? Ryo. -- ==================== Ryo Ito Email : ritou...@gmail.com ==================== _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
