Re: [OAUTH-WG] OAuth 2.0 Discovery Location

Thomas Broyer <> Thu, 25 February 2016 17:08 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C51DE1B2E2F for <>; Thu, 25 Feb 2016 09:08:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id t0AOjBxh2GzH for <>; Thu, 25 Feb 2016 09:08:51 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c04::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 296541B2E32 for <>; Thu, 25 Feb 2016 09:08:49 -0800 (PST)
Received: by with SMTP id bc4so32649407lbc.2 for <>; Thu, 25 Feb 2016 09:08:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-type; bh=4DbO5UuNjNSamPRzMyPGj+zG+P83TPGsHwq7lBVX3co=; b=iTtM88Z/0kryaXNWMnq9ZK2JAmllEavBJTNC0InL71yKGLflDcR257OQYEwT7oly5X tVejY7qR8luCleBnzakk4HVrwkrPG7ZVxYmh1pjK743qMkvaOWhArL+ZvQHsclOegSVe ENOsMkTEACeCcUhnEqTaGuMFkZtuEwgYDU18cjAvV6PbUdWoVhfwavddvzaEXhwVEPUJ EBolif0WzWbxdXvBuGhD+3oTeVXuVWjEgWlYiinwGlPN+8e5lqQMFGkGf2YLwMirSHC8 ydkHz7z0+1R/rFNpPDvLdEoIh6vEhRwG3Cat+H8IdzwzapH0V1J91Or86/MaAWsTFRFc VUuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type; bh=4DbO5UuNjNSamPRzMyPGj+zG+P83TPGsHwq7lBVX3co=; b=geFXe7xQGAl/R2O7fJGBTLnayh5G5GQs82ds1P+S9ykqm5toQp204YwHsAeYjE6ERQ LavCaXDWvaLtiiIdOcZmzpRCGrlR9M24au4HyWtTST6qXifwZTVMDsOAA7prsq89AaUK U615i4nWlzS+vxCUZSzlQR/eW27C5KodOvy1Y3cLwajkIRiCYj/O2oCyq5nCEOp2id1b 4Wx6KyQOI4QowIbE1v5cFfb1WWTRNkhVHbRaopFIgX/sLe1+q9NZhUHJw69kxkkD+cSH OgHzTaKWjElB60urN8Lt2gL3T8X4mHWpKSlpRVwqFbWDSKZL+NiB6fnW4QcA6bJTxkhL Ap9w==
X-Gm-Message-State: AG10YORh8UVpGy5s+b8ITjbn5He9T69jaiL+Qs/CaKXCdECfhwd5ufJ6ZOZXB0GTkJ5XYJlv1Wx7XufQ27r8dA==
X-Received: by with SMTP id nd8mr17029282lbc.116.1456420126996; Thu, 25 Feb 2016 09:08:46 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Thomas Broyer <>
Date: Thu, 25 Feb 2016 17:08:36 +0000
Message-ID: <>
To: George Fletcher <>, Vladimir Dzhuvinov <>,
Content-Type: multipart/alternative; boundary="001a11c3bc4e503e2c052c9b3c73"
Archived-At: <>
Subject: Re: [OAUTH-WG] OAuth 2.0 Discovery Location
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Feb 2016 17:08:57 -0000

On Thu, Feb 25, 2016 at 4:25 PM George Fletcher <> wrote:

> Interesting... this is not at all my current experience:) If a RS goes
> from v2 of it's API to v3 and that RS uses the current standard of putting
> a "v2" or"v3" in it's API path... then a token issued for v2 of the API can
> not be sent to v3 of the API, because v3 wasn't wasn't registered/deployed
> when the token was issued.

Add to that:

   - "restful" APIs have a lot of "endpoints" related to a single scope
   - I know at least one AS that doesn't require RSs to register (I wonder
   how it all works, and whether it's really secure –I hope so, given the
   known RSs–, but that's how it is): documentation can be found (in French)
   at (or if the previous URL doesn't work
   for you, they have DNS configuration issues)
   - even UMA doesn't register "resources" themselves, but only "resource
   sets", and it doesn't even require a) an URI for the resource set, or b)
   any "relationship" between the resource set URI (if any) and the URIs of
   the resources "in" the resource set:

> The constant management of scopes to URI endpoints seems like a complexity
> that will quickly get out of hand.