You could pass the RS's opaque tokens and do introspection or send signed JWT
to avoid the introspection step.
There is no guarantee that the user portion of identities used to login to your
AS will be globaly unique.
You need to scope the user part to the issuer in the token you issue to the R
Todd - doesnt the AS have adequate "scope" information to guess which
resource server the token might get delivered to? I am afraid thats
about as far as the OAuth flows go in capturing the "target" of the
final request.
Couldn't the "scope" information be used by the AS to decide between
inc
This question exposes a shortcoming of the final spec. After implementing
an authorization server, I've formed the opinion that the spec doesn't
define clearly enough the auth server's behavior at the token endpoint.
Implementers do not know what discretion they are entitled when trying to
reconcil
Hi Brian,
Regarding progressing the documents here are the next steps:
a) The shepherd needs to read through the documents. I am the shepherd and
I have read through the latest version of the documents yesterday.
b) I will post a short WGLC to the list to solicit any comments on the
