From 97110a40064b7e378fb33b40cd1475ca50f24230 Mon Sep 17 00:00:00 2001 From: Michiel de Jong Date: Mon, 4 Nov 2024 17:03:47 +0100 Subject: [PATCH] More spec work (#92) --- ...-vandermeulen-oauth-resource-helper-00.xml | 81 ++++++++++--------- 1 file changed, 45 insertions(+), 36 deletions(-) diff --git a/phase-3/spec/draft-vandermeulen-oauth-resource-helper-00.xml b/phase-3/spec/draft-vandermeulen-oauth-resource-helper-00.xml index f692aab..1c62f12 100644 --- a/phase-3/spec/draft-vandermeulen-oauth-resource-helper-00.xml +++ b/phase-3/spec/draft-vandermeulen-oauth-resource-helper-00.xml @@ -166,36 +166,47 @@
Resource Helper Registry - The Authorization Server SHOULD maintain a registry of Resource Helpers it trusts, - with for each Resource Helper: - * a fully qualified domain name (for `/.well-known/resource-helper` lookup, see below) - * client credentials + The Authorization Server SHOULD maintain a registry of trustworthy Resource Helpers, + containing for each Resource Helper: + + + + The Authorization Server SHOULD NOT redirect the end user to Resource Helpers other than the ones + from this registry. + It SHOULD also NOT accept authenticated choice submissions from Resource Helpers other than the ones + from this registry.
Resource Helper Well-Known Endpoint - At the `/.well-known/resource-helper` end point, the Resource Helper lists the URI for - the `pick` endpoint (front channel). + At its `/.well-known/resource-helper` end point, the Resource Helper SHOULD serve a JSON document, + containing an object with a member whose key is "pick" and whose value is the URI for + the pick endpoint to which the Authorization Server can redirect the user.
Resource Helper Configuration - The Resource Helper needs to store: - * its client credentials - * the `choice` endpoint URL of the Auhtorization Server (back channel) - * the `redirect_uri` endpoint URL of the Authorization Server (front channel) - * (optional) the `subject_info` endpoint URL of the Authorization Server (back channel) - + The Resource Helper needs to persist: + +
Resource Helper Pick endpoint - The Authorization can redirect the end user to the Resource Helper's Pick endpoint, with in the query paramaters: + The Authorization can redirect the end user to the Resource Helper's Pick endpoint, with in the query parameters:
The Choice endpoint - The authorization server MAY receive additional types of information from the resource helper through the Choice endpoint. + After allowing the user to pick an access scope, the resulting choice submission would include: + +