Protecting Your APIs With OAuth
Fleeting- External reference:
He tells about the metaphor of the hotel and insists that the resource server does not need to know about the resource owner.
reference token vs self-encoded access token ->
use different lifetimes for your access tokens depending on the criticality of the scope
He talks about how rich authorization requests will allow more precise scoping, yet it is still work it progress.