[Openid-specs-ab] Question on access token w multiple audiences and multiple resource servers

rich levinson rich.levinson at oracle.com
Tue Oct 17 19:04:17 UTC 2017

Does anyone have guidance on validity of the following scenario?:

    There is a Resource Server, RS-1, that, in order to provide its service
    needs to also access a downstream Resource Server RS-2.

    When the oauth client requests an access token, it is granted an access token
    by the az-svr (that knows that both RS-1 and RS-2 must be used) that
    contains 2 audiences: RS-1 and RS-2.

    The oauth client uses the access token to access RS-1.

    RS-1, in turn, uses the same access token to access RS-2.

    The response is returned from RS-2 to RS-1.
    RS-1 combines the response from RS-2 w its own resp and
      returns the combined response to the oauth client.

Given that the token is a bearer token it seems to me there is no reason why
both the oauth client AND the RS-1 can't use the access token to get what they
need, w/o RS-1 having to register itself as a separate client and get its own
access token.

So, the question is whether this is a legitimate use case for a resource server
to access downstream services.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20171017/6ff9bf7e/attachment.html>

More information about the Openid-specs-ab mailing list