Hi Rifaat, one detail. The tech summary says An extension to the OAuth 2.0 Authorization Framework defining request parameters that enable a client to explicitly signal to an authorization server about the *location* of the protected resource(s) to which it is requesting access.
But at least in the Microsoft implementation, the resource identifier doesn't *have* to be a network addressable URL (and if it is, it doesn't strictly need to match the actual resource location). It can be a logical identifier, tho using the actual resource location there has benefits (domain ownership check, prevention of token forwarding etc). Same for Auth0, the audience parameter is a logical identifier rather than a location. On Wed, Jan 16, 2019 at 6:32 PM Rifaat Shekh-Yusef <rifaat.i...@gmail.com> wrote: > All, > > The following is the first shepherd write-up for > the draft-ietf-oauth-resource-indicators-01 document. > > https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-indicators/shepherdwriteup/ > > Please, take a look and let me know if I missed anything. > > Regards, > Rifaat > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
