As mentioned below, I agree the two can be separated- but I also agree with
George on the need to be clear an easy to reference for developers.
Just adding a reference to req_aud would just raise the cyclomatic
complexity of the specs, which is already unusably high for mere mortals in
the OAuth2/O
I agree with John’s logic. The physical resource and logical resource should
use different identifiers. Fortunately, we already have “resource” and
“req_aud” for these parameters. I believe we’re good to go, as-is.
-- Mike
From: OAuth O
Hi all,
thanks for you patience. Brian and myself iterated on modifying the text to
cover the logical identifier use case, highlighting the security
implications of going that route. You can find the revised text in
https://github.com/vibronet/i-d/blob/master/draft-ietf-oauth-resource-indicators.xm
