Resource Indicator


the original mechanism on OAuth 2 framework for expressing authorizations is the scopes presented on the token by the subject to the token holder. That allowed many enterprises and adopters to properly secured their environments when there is no ambiguity of the resource that the token is about.

Today with the micro service architecture and data partition due to data residency requirements or data sharding, a resource that the api client needs to access needs to be precisely identified on the request, token and introspection.

There are 2 specifications address this: the Resource Identifier (RFC 8707) and the Rich Authorization Requests (that is still in draft state). 

This note is about the support on Authlete for the Resource Identifier specification.

How did we do with this article?