openid · tulshi · Jun 10, 2024 · Dec 21, 2023 · Jan 9, 2024 · Dec 21, 2023
@@ -207,15 +207,21 @@ All events MUST be signed using the `RS256` algorithm using a minimum of 2048-bi
 
 ### Authorization Server
 * MAY distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in [RFC8414]{{RFC8414}}
-* MUST support at least one of the following to obtain a short-lived access token. Please refer Access token lifetimes in the security considerations {{FAPI}} for additional considerations.
+* MUST support at least one of the following to obtain a short-lived access token. A short lived access token could be defined as `exp` claim no longer than 60 mins after `nbf`. Please refer Access token lifetimes in the security considerations {{FAPI}} for additional considerations. 
 ** client credential grant flow {{RFC6749}} section 4.4
 ** authorization code flow {{RFC6749}} section 4.1
 
 ### OAuth Scopes
-The OAuth scopes required to access the resources MAY be obtained by the client using {{OPRM}} hosted by the Resource Server. In the absence of this mechanism - 
-* An OAuth {{RFC6749}} authorization that is used to issue tokens to SSF Receivers, MUST reserve the scopes for the SSF endpoints with the prefix of `ssf`
-* All the SSF stream configuration management API operations MUST be protected using `ssf.manage` scope
-* All the SSF stream configuration Read API operations MUST be protected by `ssf.read` scope
+The client could discover OAuth scopes needed to access the reource by 2 separate mechanisms depending on the support from the OAuth service
+
+#### Resource Server
+The OAuth scopes required to access the resources MAY be obtained by the client using {{OPRM}} hosted by the Resource Server. 
+
+#### Authorization Server 
+In the absence of Resource server's support for {{OPRM}} the following process should be adopted - 
+* An OAuth {{RFC6749}} authorization server that is used to issue tokens to SSF Receivers, MUST reserve the scopes for the SSF endpoints with the prefix of `ssf`
+* All the SSF stream configuration management API operations MUST accept `ssf.manage` scope
+* All the SSF stream configuration Read API operations MUST accept `ssf.read` scope
 * Authorization server MAY postfix scope names with more granular operations eg. `ssf.manage.create`, `ssf.manage.update` etc.
 * Transmitter managed poll endpoint MAY use the scope in the same nomenclature as `ssf.manage.poll`