Hi Nat, On Wed, Feb 24, 2016 at 12:54 PM Nat Sakimura <sakim...@gmail.com> wrote:
> > 2016年2月22日(月) 18:44 Thomas Broyer <t.bro...@gmail.com>: > > >> (well, except if there are several ASs each with different scopes; sounds >> like an edge-case to me though; maybe RFC6750 should instead be updated >> with such a parameter such that an RS could return several >> WWW-Authenticate: Bearer, each with its own "scope" and "duri" value?) >> > > Yeah, I guess it is an edge case. I would rather like to see these authz > servers to develop a trust framework under which they can agree on a single > set of common scope parameter values. > Well, except that adding the "duri" and "auri" metadata links to the "WWW-Authenticate: Bearer" response header(s) would easily solve those issues (without judging here whether they're edge-case or not), and I don't really see any other use-case for that metadata outside the unauthorized use of a resource (your draft admits it's the "typical use-case").
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
