Right. As there can be multiple WWW-authenticate header, it is doable that way. Maybe that's better in this respect, though it becomes a bit different than other metadata. Alternatively, the scope can be added as a parameter in the auri Web Link header. Good things about the Link Header is that you can just configure the web server config to return them. There is no code needed.
2016年2月25日(木) 0:01 Thomas Broyer <t.bro...@gmail.com>: > Hi Nat, > > On Wed, Feb 24, 2016 at 12:54 PM Nat Sakimura <sakim...@gmail.com> wrote: > >> >> 2016年2月22日(月) 18:44 Thomas Broyer <t.bro...@gmail.com>: >> > >> >>> (well, except if there are several ASs each with different scopes; >>> sounds like an edge-case to me though; maybe RFC6750 should instead be >>> updated with such a parameter such that an RS could return several >>> WWW-Authenticate: Bearer, each with its own "scope" and "duri" value?) >>> >> >> Yeah, I guess it is an edge case. I would rather like to see these authz >> servers to develop a trust framework under which they can agree on a single >> set of common scope parameter values. >> > > Well, except that adding the "duri" and "auri" metadata links to the > "WWW-Authenticate: Bearer" response header(s) would easily solve those > issues (without judging here whether they're edge-case or not), and I don't > really see any other use-case for that metadata outside the unauthorized > use of a resource (your draft admits it's the "typical use-case"). >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
