[Openid-specs-fapi] Issue #497: RS Clauses re access token (openid/fapi)
dgtonge
issues-reply at bitbucket.org
Thu May 5 08:32:48 UTC 2022
New issue 497: RS Clauses re access token
https://bitbucket.org/openid/fapi/issues/497/rs-clauses-re-access-token
Dave Tonge:
We have these clauses for Resource Servers
```
shall verify that the scope of the access
token authorizes the access to the resource it is representing
...
shall identify the associated entity to the access token
shall only return the resource identified by the combination of the entity
implicit in the access and the granted scope and otherwise return errors as
in section 3.1 of [@!RFC6750]
```
I’m not sure how we can test them and I’m not sure about the language.
We need to consider that some RS endpoints will be POST / PATCH / PUT, i.e. an action is being performed rather than just a resource being returned.
Can we not simply the above 3 clauses to something like:
> shall verify that the authorization represented by the access token is sufficient for the requested resource access
Responsible: Dave Tonge
More information about the Openid-specs-fapi
mailing list