Resource Indicators for OAuth 2. (See File Oauth_2_0.org)0fleeting
- External reference: https://datatracker.ietf.org/doc/html/rfc8707
Knowing the protected resource (a.k.a. resource server, application, API, etc.) that will process the access token enables the authorization server to construct the token as necessary for that entity.
Several years of deployment and implementation experience with the OAuth 2.0 Authorization Framework [RFC6749] has uncovered a need (in some circumstances, such as an authorization server servicing a significant number of diverse resources) for the client to explicitly signal to the authorization server where it intends to use the access token it is requesting.
it can restrict the intended audience of that token to the given resource such that the token cannot be used successfully at other resources
OAuth scope, from Section 3.3 of [RFC6749], is sometimes overloaded to convey the location or identity of the protected resource
Scope is typically about what access is being requested rather than where that access will be redeemed
“email”, “admin:org”, “user_photos”, “channels:read”, and “channels:write” are a small sample of scope values in use in the wild that convey only the type of access and not the location or identity
Indicates the target service or resource to which access is being requested. Its value MUST be an absolute URI, as specified by Section 4.3 of [RFC3986]. The URI MUST NOT include a fragment component. It SHOULD NOT include a query component, but it is recognized that there are cases that make a query component a useful and necessary part of the resource parameter, such as when one or more query parameters are used to scope requests to an application. The “resource” parameter URI value is an identifier representing the identity of the resource, which MAY be a locator that corresponds to a network-addressable location where the target resource is hosted. Multiple “resource” parameters MAY be used to indicate that the requested token is intended to be used at multiple resources.