Hello, I have a question.
If there exist multiple authorization servers that can issue access tokens for one resource server, when the resource server receives an access token from a client application, as the first step, the resource server has to determine which authorization server to use for access token introspection. Is there any standard way to determine which authorization server to use? There may be several ways, for example: (1) Embed information about the access token issuer in the access token. (2) Add a request parameter to identify the access token issuer. (3) Separate protected resource endpoints for each authorization server. If there is a standard way, I'd like to know it. Best Regards, Takahiko Kawasaki
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
