Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Protocol assumes one resource per URL #162
The UMA protocol assumes that there's only one resource per URL, but not all APIs are designed this way. Some use contextual information in the request outside of the URL to determine the kind of request being made. For instance, in OpenID Connect's UserInfo Endpoint, the scopes associated with the access token used to make the request to the endpoint determine which parts of a user's profile are returned. The
API designers are vanishingly unlikely to change their APIs to accommodate the quirks of a security protocol.
Discussion on 2015-08-13: The constraint is that the RS must be able, based on the C's access attempt with no token and no other context, to distinguish the AS and RO that match the protected resource set. In practice, this likely means that the URI needs to be unique per resource set. Let's mention this constraint in a few places. E.g., in Core Sec 1.3.1 and Core Sec 2. And we also have to put it into RSR Sec 2 and Sec 2.2.