For (1) arguably these are different resources, therefore, they of course
have different paths. The draft specifically outlines that each of them can
have their own metadata document:

https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-00.html#name-protected-resource-metadata-

If the resource identifier value contains a path component, any terminating
/ MUST be removed before appending /.well-known/ and the well-known URI
path suffix. The consumer of the metadata would make the following request
when the resource identifier is https://resource.example.com/resource1 and
the well-known URI path suffix is oauth-protected-resource to obtain the
metadata, since the resource identifier contains a path component:
<https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-00.html#section-3.1-4>

  GET /resource1/.well-known/oauth-protected-resource HTTP/1.1
  Host: resource.example.com

<https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-00.html#section-3.1-5>

Using path components enables supporting multiple resources per host. This
is required in some multi-tenant hosting configurations. This use of
.well-known is for supporting multiple resources per host; unlike its use
in [RFC5785
<https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-00.html#RFC5785>
], it does not provide general information about the host.

For (2), this is already the case with OAuth, and has nothing to do with
this draft. The solution here is for resource servers to check the
*audience* claim in the incoming token if it is a JWT. If for some reason
they can't do that or it isn't a JWT, then DPoP exists to constrain
requests to prove that the client should be allowed to utilize that token.


On Thu, Sep 21, 2023 at 6:19 PM Atul Tulshibagwale <a...@sgnl.ai> wrote:

> Hi all,
> I'm still looking for answers to these two questions
> <https://mailarchive.ietf.org/arch/msg/oauth/NLj-xnAZ4BtFs9z62OzCro4xxoc/>
> regarding the OPRM draft that was recently adopted by the WG:
>
>    1. If I have a resource server that has multiple endpoints, each of
>    which require different scopes, how should those be handled? For example,
>    in the SSF spec, the SSF Transmitter has a Create Stream endpoint and a
>    Polling endpoint. The scopes required for these are different. How would
>    the client know which scope is to be used with which endpoint?
>    2. Does the spec encourage insecure behavior in the caller by
>    requesting tokens with scopes that they do not understand? I.e. If an
>    authorization server is known to provide valuable tokens with certain
>    scopes, can a malicious resource server trick the client into requesting a
>    more powerful token, which it then uses to access some other service? Since
>    the consent dialog is likely to show two trusted names (i.e. the requesting
>    client and the authorization server), the user would be prone to providing
>    consent, even if the scope looks unnecessarily permissive.
>
> Thanks,
> Atul
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to