<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Here is a real world analogy:<br>
<ol>
<li>My company issues me a badge that grants access to the 3rd
floor AND<br>
to Conference Room 5 on the 3rd floor.</li>
<li>I use the badge to enter the 3rd floor.</li>
<li>I use the same badge to enter Conference Room 5.</li>
</ol>
<p> Thanks,<br>
Rich</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 10/17/2017 3:04 PM, rich levinson
via Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1c61af9b-2aba-3487-6ccc-2faee6e303b2@oracle.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
Does anyone have guidance on validity of the following scenario?:<br>
<blockquote>There is a Resource Server, RS-1, that, in order to
provide its service<br>
needs to also access a downstream Resource Server RS-2.<br>
<br>
When the oauth client requests an access token, it is granted an
access token<br>
by the az-svr (that knows that both RS-1 and RS-2 must be used)
that<br>
contains 2 audiences: RS-1 and RS-2.<br>
<br>
The oauth client uses the access token to access RS-1.<br>
<br>
RS-1, in turn, uses the same access token to access RS-2.<br>
<br>
The response is returned from RS-2 to RS-1.<br>
RS-1 combines the response from RS-2 w its own resp and<br>
returns the combined response to the oauth client.<br>
</blockquote>
Given that the token is a bearer token it seems to me there is no
reason why<br>
both the oauth client AND the RS-1 can't use the access token to
get what they<br>
need, w/o RS-1 having to register itself as a separate client and
get its own<br>
access token.<br>
<br>
So, the question is whether this is a legitimate use case for a
resource server<br>
to access downstream services.<br>
<br>
Thanks,<br>
Rich<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=nNxUKneeZofWTyt9qclOUTeEg29NkEkknFyDupoNiiA&m=a6VgxOtTmWHZYkdmMlFsZ7ZfJF5J6d9dmCwLNKaCqAU&s=Fx_11CM3YgV1k9Mxzey2kasEdBiVMA9M3gk5SL7ifMw&e=">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=nNxUKneeZofWTyt9qclOUTeEg29NkEkknFyDupoNiiA&m=a6VgxOtTmWHZYkdmMlFsZ7ZfJF5J6d9dmCwLNKaCqAU&s=Fx_11CM3YgV1k9Mxzey2kasEdBiVMA9M3gk5SL7ifMw&e=</a>
</pre>
</blockquote>
<br>
</body>
</html>