[OAUTH-WG] resource server id needed?

Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 14 July 2010 22:22 UTC

Message-ID: <4C3E389D.5080300@lodderstedt.net>
Date: Thu, 15 Jul 2010 00:22:21 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5
MIME-Version: 1.0
To: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-15"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [OAUTH-WG] resource server id needed?
Precedence: list

I have a question concerning the OAuth philosophy: How many resource 
servers may be managed by a single OAuth authorization server? (a) A 
single resource server or (b) several of them exposing different 
resource types?

If the answer is (b) then how is a particular resource server identified 
in the protocol? Clients have Ids, end-users as well (at least in a 
future protocol extension), but what about resource server Ids?

I think resource servers must be identifiable in multi-server 
deployments for several reasons:
- Interpretation of the scope parameter should be resource server 
specific - "read" may have different meanings in mail and address book
- An authorization server probably wants to apply server-specific 
security policy, e.g. different access token durations
- It will be possible to create special tokens per server

I think we should introduce a resource server id in the authz and access 
token request.

Any thoughts?

regards,
Torsten.

[OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Marius Scurtescu
Re: [OAUTH-WG] resource server id needed? Eran Hammer-Lahav
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Ivan Pulleyn
Re: [OAUTH-WG] resource server id needed? Luke Shepard
Re: [OAUTH-WG] resource server id needed? William Mills
Re: [OAUTH-WG] resource server id needed? William Mills
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Eran Hammer-Lahav
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Ivan Pulleyn
Re: [OAUTH-WG] resource server id needed? Marius Scurtescu
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Wolfgang.Steigerwald
Re: [OAUTH-WG] resource server id needed? Brian Eaton
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Brian Eaton
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? David Recordon
Re: [OAUTH-WG] resource server id needed? Andrew Arnott
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Eve Maler
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Eve Maler
Re: [OAUTH-WG] resource server id needed? Torsten Lodderstedt
Re: [OAUTH-WG] resource server id needed? Eve Maler