Should a token grant access to anything more specific than the specified resource?

[aaronpk]

(copying from the wiki)

Would a token grant access to anything more specific than the provided resource, or would it be only for that specific resource? (e.g. should a token for https://example.com/alice/ also work on https://example.com/alice/feed)

• Giving meaning to the URLs like this is convenient but may be misleading or break security boundaries in unexpected ways.
• An alternative would be to include another parameter, such as the previously discussed "realm", or somehow using scopes for this.
• Following RFC8707: Resource Indicators for OAuth 2.0 this would mean allowing resource=https://example.com/alice/ to be used to retrieve the value of https://example.com/alice/feed
  • This allows the use of multiple resource parameters for the purpose of multiple resource URLs to provide access to

[dshanske]

Related #82