[Openid-specs-ab] Question on access token w multiple audiences and multiple resource servers
rich.levinson at oracle.com
Tue Oct 17 19:04:17 UTC 2017
Does anyone have guidance on validity of the following scenario?:
There is a Resource Server, RS-1, that, in order to provide its service
needs to also access a downstream Resource Server RS-2.
When the oauth client requests an access token, it is granted an access token
by the az-svr (that knows that both RS-1 and RS-2 must be used) that
contains 2 audiences: RS-1 and RS-2.
The oauth client uses the access token to access RS-1.
RS-1, in turn, uses the same access token to access RS-2.
The response is returned from RS-2 to RS-1.
RS-1 combines the response from RS-2 w its own resp and
returns the combined response to the oauth client.
Given that the token is a bearer token it seems to me there is no reason why
both the oauth client AND the RS-1 can't use the access token to get what they
need, w/o RS-1 having to register itself as a separate client and get its own
So, the question is whether this is a legitimate use case for a resource server
to access downstream services.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab