Comments...
I found the following paragraph a little confusing:
When an access token will be returned from the authorization
endpoint, the "resource" parameter is used in the authorization
request to the authorization endpoint as defined inSection 4.2.1
<https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-00#section-4.2.1> of
OAuth 2.0 [RFC6749 <https://tools.ietf.org/html/rfc6749>]. An example of an
authorization request where
the client tells the authorization server that it wants a token for
use at "https://rs.example.com/"; is shown in Figure 1 below.
I don't have RFC 6749 memorized to the level of section numbers:) I would
recommend calling out that for the co
I don't have RFC 6749 memorized to the level of section numbers so it
took a bit to realize you were talking about Implicit and "Hybrid"
flows. Suggested text addition...
When an access token will be returned from the authorization
endpoint (such as the Implicit flow [Section 4.2.1
<https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-00#section-4.2.1> of
OAuth 2.0 [RFC6749 <https://tools.ietf.org/html/rfc6749>]]), the "resource"
parameter is used in the authorization
request to the authorization endpoint. For OAuth flows that only return an
access token from the token endpoint, the resource parameter MUST NOT be
used in the authorization request. An example of an authorization request
where
the client tells the authorization server that it wants a token for
use at "https://rs.example.com/"; is shown in Figure 1 below.
Or something like that.
Also, should there be some discussion regarding using logical URIs for
resources rather than requiring a specific physical path? The AS can
always translate the resource URI to a physical endpoint if necessary.
Finally, should we define more guidance on the separate of scopes and
resource indicators? For example, for an instant messaging services
there might be scopes of "sendIM", "readBuddyList", "adminAccount". And
then the resource indicator might be https://api.im.example.com. Given
the client is requesting a token with a scope of "sendIM" is it really
necessary to also specify a resource indicator of
"https://api.im.example.com"; as the AS could probably infer that from
the scope parameter.
Thanks,
George
On 8/3/18 11:39 PM, internet-dra...@ietf.org wrote:
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : Resource Indicators for OAuth 2.0
Authors : Brian Campbell
John Bradley
Hannes Tschofenig
Filename : draft-ietf-oauth-resource-indicators-00.txt
Pages : 8
Date : 2018-08-03
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
