The document is confusing a Resource Server (RS) with a Protected Resource

[Denisthemalice]

The definition of a RS is given on page 7:

Resource Server (RS) server that provides operations on protected resources, where operations require a valid access token issued by an AS.

The definition of a Protected Resource is given on pages 8 and 9:

Protected Resource protected API (Application Programming Interface) served by an RS and that can be accessed by a client, if and only if a valid access token is provided.

Note: to avoid complex sentences, the specification document may simply refer to resource instead of protected resource.

When a client accesses to a RS for the first time, it does not necessarily know that a resource is protected using GNAP, and if protected by GNAP, which ASs are trusted by the RS.

Some resources on a RS can be protected using, e.g., an authentication mechanism while some other resources can be protected using GNAP or OAuth. The error codes to be returned by the server are not the same.

It would be worthwhile to delete the Note and within the document to make a difference between a RS and a PS.

[jricher]

This document is not concerned with resources that are not protected by GNAP. It is not meant to be a universal security solution for the internet.

Closing this issue as this has been discussed several times.

[aaronpk]

See also: #212