On 18 December 2011 17:22, Doug Tangren <d.tang...@gmail.com> wrote: > > On Sun, Dec 18, 2011 at 12:05 PM, Melvin Carvalho <melvincarva...@gmail.com> > wrote: >> >> Is this kind of flow possibly with OAuth 2.0, and if so whose >> responsibility is it to maintain the list of agents than can access >> the resource? > > The scope parameter fulfills this role. It would be up to the service to > document the scope for clients, the auth server to ask the user if they > wished allow the client this extra scope of access, and the resource server > to interpret the scope for the particular request.
It's not necessary to use the scope parameter; you'd probably want some private API that allows an authenticated client to say something like: "User x is also allowed to access this resource", and when User X's client obtains an access token, they'll be able to access the resource in question. The ACL in any event is the responsibility of the service provider, as the service provider is the only entity able to enforce access control. b. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
