Hello everyone,
I've submitted a new individual draft that proposes an update to RFC 8707
("Resource Indicators for OAuth 2.0"):
*Resource Indicator Response Parameter for OAuth 2.0*
<https://datatracker.ietf.org/doc/draft-skokan-oauth-resource-response/>
RFC 8707 defines the resource request parameter for authorization and token
requests, allowing a client to signal which protected resource(s) it wants
an access token for. However, it doesn't define a way for the authorization
server to communicate back which resource(s) the issued access token is
actually for.
*This draft fills that gap by defining the resource parameter for access
token responses. It serves a similar role to the scope response parameter
from RFC 6749, it lets the authorization server inform the client when the
effective resource(s) differ from what was requested, such as when the
server restricts the token to a subset of requested resources or applies a
default resource policy, a case explicitly called out in RFC 8707 Section
2.2.*
The draft is intentionally narrow in scope: it defines the response
parameter, specifies when it's required vs. optional, and updates the IANA
registration accordingly.
Given that it's conditionally required I would prefer a full on
8707bis document (for which I have the source prepared as well) but figured
to first discuss the parameter itself in isolation like this.
Feedback is welcome. Thank you
S pozdravem,
*Filip Skokan*
A new version of Internet-Draft draft-skokan-oauth-resource-response-01.txt
> has been successfully submitted by Filip Skokan and posted to the
> IETF repository.
>
> Name: draft-skokan-oauth-resource-response
> Revision: 01
> Title: Resource Indicator Response Parameter for OAuth 2.0
> Date: 2026-03-01
> Group: Individual Submission
> Pages: 6
> Status:
> https://datatracker.ietf.org/doc/draft-skokan-oauth-resource-response/
> HTML:
> https://www.ietf.org/archive/id/draft-skokan-oauth-resource-response-01.html
> HTMLized:
> https://datatracker.ietf.org/doc/html/draft-skokan-oauth-resource-response
>
> Abstract:
>
> This document defines the resource parameter for OAuth 2.0 access
> token responses, enabling an authorization server to indicate to the
> client the resource(s) which an issued access token is for. It
> updates "Resource Indicators for OAuth 2.0" (RFC 8707).
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
