Hi! The following is my AD review of draft-ietf-oauth-resource-indicators-02. The document is in good shape.
(1) Section 2. Per "The parameter can carry the location of a protected resource, typically as an https URL, or a more abstract identifier", is this "abstract identifier" still an absolute URI per Section 4.3 of RFC3986? (2) Section 2.2. in the sentence "To the extent possible, when issuing access tokens, the authorization server should adapt the scope value associated with an access token to the value the respective resource is able to process and needs to know": -- is this language suggesting that the authorization server is modifying the scope value based on the resource it sees? I'm trying to understand what "adapt" means, especially in relation to the improved security and privacy the subsequent sentence suggests. -- (Depending on the above) Is there a security consideration here for the server relative to confidential scope values and how they might be modified? (3) Editorial ** Section 1 and 2.1. Multiple Typo. s/the the/the/g ** Section 2. Editorial. s/resource at which/resource to which/ ** Section 2. Editorial. s/ And can also be used to inform the client that it has requested an invalid combination of resource and scope./ It can also be used to inform the client that it has requested an invalid combination of resource and scope./ ** Section 2.1. Multiple Typo. s/an an/an/g ** Section 2.2. Editorial. s/token request and response/token request (Figure 3) and response (Figure 4)/ ** Section 3. Typo. s/a invalid/an invalid/ ** Section 3. Missing words. "A bearer token that has multiple intended recipients (audiences) can be used by any one of those recipients at any other." Is it protected resource? _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
