New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What is the value of the thing that comes back from the helper #33
Comments
Arguments for the "approval" option:
Who holds the revoke list? In a sense the main AS becomes the third party and it attenuates/delegates to the fourth party: the client |
Maybe the main AS holds the grants list but the helper holds some sort of "shares" list, i.e. the scopes it dynamically labels |
Discussed with @HarryKodden just now what a good name for 'the thing the helper returns' would be. Options:
|
We chose 'scope' for now. |
We had another discussion about this today and decided on "approval", not "description". The reason is that authentication of the resource owner should be an additional task of the resource helper. There is no way to pass that authentication back and forth between AS and RH. |
-> #39 |
It's worth noting that the "approval" does have value, but it is a half-product. Only the AS can put it into an access token. See also #40 |
The thing that comes back from the helper may be just a description of something, or it may actually already be "approved" by the resource owner in some sense.
The "description" case is closest to the scope parameter in an OAuth authorization response. It just describes which client actions the grant covers, and by omission, which client actions it doesn't. The language of this is left out of scope - it can define resources or access modes or any other axis of differentiation.
The "approval" case is what we discussed in our meeting on 22-03-2024, and it gives a bigger task to the helper.
In any case you could also switch the scope-selection step and the audience-check step in the auth server GUI.
The text was updated successfully, but these errors were encountered: