-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce Resource Indicators #96
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good - I guess we don't need to have anything around how i.e. resource=https://api.example.com/
allows access to https://api.example.com/micropub
and https://api.example.com/notify
, as it's already in RFC8707?
Needs to add that scope or resource are optional, but scope is not mandatory if resource provided. |
@jamietanna Can you check this again now that I've noted that scope is not required if resource is present and such? |
Refreshed from main. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Do we want to have a worked example for what a resource
would look like for restricting access?
Can you elaborate? Not sure what that looks like. |
I do think we should make sure there is a clear path to using this for Ticket Auth before bringing it into the spec. My recollection is that is the primary use case driving this, and that this is a prerequisite for using it in the Ticket Auth extension. Even so, I don't think it's a good idea to bring this in until there is a clear plan for how to use it in an extension. And even then, perhaps it makes more sense to keep it in an extension. |
I agree with the statement this should remain outside the spec until later. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are going to hold off on this until there is a more concrete use case
Agreed, that's why I removed it from the milestone |
Would OAuth 2.0 Rich Authorization Requests address the non-ticket use cases brought up here? For example, figure 1 from draft 11 shows the common data field {
"type": "payment_initiation",
"locations": [
"https://example.com/payments"
],
"instructedAmount": {
"currency": "EUR",
"amount": "123.50"
},
"creditorName": "Merchant A",
"creditorAccount": {
"iban": "DE02100100109307118603"
},
"remittanceInformationUnstructured": "Ref Number Merchant"
} |
Attempts to introduce resource indicators to the spec, as proposed in #82 to address #83(which is specific to ticket auth. Hoping to discuss this at the upcoming Popup.
This adds a parameter, resource, that indicates the target service(s) or resource(s) to which access is being requested. This is a contrast to scope, which talks about access permissions, not what those permissions are accessing. A request could therefore have a resource parameter, a scope parameter, or both. But if neither are requested, no token would be issued.
In the proposed Ticket Auth extension to IndieAuth, for example, a publisher would send a ticket to a potential consumer with the resource parameter, then the potential consumer would redeem the ticket for a resource restricted token, only allowing access to private items under that base URL.