Re: [OAUTH-WG] updated Distributed OAuth ID

Torsten Lodderstedt <> Sat, 21 July 2018 16:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5F012130DC4 for <>; Sat, 21 Jul 2018 09:49:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MP8OyvA-syQX for <>; Sat, 21 Jul 2018 09:49:09 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2560A127333 for <>; Sat, 21 Jul 2018 09:49:09 -0700 (PDT)
Received: from [] (helo=[]) by with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <>) id 1fgv47-0000Kn-0U; Sat, 21 Jul 2018 18:49:07 +0200
Content-Type: multipart/signed; boundary=Apple-Mail-E12ECF2A-90C9-487C-BF96-94BC9F394B69; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (1.0)
From: Torsten Lodderstedt <>
X-Mailer: iPad Mail (15F79)
In-Reply-To: <>
Date: Sat, 21 Jul 2018 18:49:05 +0200
Content-Transfer-Encoding: 7bit
Message-Id: <>
References: <> <> <> <> <>
To: Dick Hardt <>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <>
Subject: Re: [OAUTH-WG] updated Distributed OAuth ID
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 21 Jul 2018 16:49:12 -0000

Hi Dick,

Am 19.07.2018 um 15:46 schrieb Dick Hardt <>om>:

>> I think any scenario with multiple resource servers relying on the same AS for authorization where the client acts on behalf of the resource owner qualifies for grant type code and distributed OAuth. 
>> Let’s assume a user wants to authorize a client for access to her cloud storage, email account and contacts when setting app the respective app.
> Would you walk me through the user experience that happened for the client to do discovery on these three resources? In other words, what did the user do to get the client to call the resource and get back the 401 response?

I would assume the user enters the URLs or identifies the respective service providers in the app (e.g. by entering her email address). The client then sends an initial request as described in your draft and gets back the 401.

Doing so for several resources will give the client the AS URL for all involved resources. If the client compares the iss claims it will figure our all resources are protected by the same AS and can authorize access via a single authz code grant flow.

kind regards,