RS Clauses re access token
Issue #497
resolved
We have these clauses for Resource Servers
shall verify that the scope of the access
token authorizes the access to the resource it is representing
...
shall identify the associated entity to the access token
shall only return the resource identified by the combination of the entity
implicit in the access and the granted scope and otherwise return errors as
in section 3.1 of [@!RFC6750]
I’m not sure how we can test them and I’m not sure about the language.
We need to consider that some RS endpoints will be POST / PATCH / PUT, i.e. an action is being performed rather than just a resource being returned.
Can we not simply the above 3 clauses to something like:
shall verify that the authorization represented by the access token is sufficient for the requested resource access
Comments (4)
-
-
reporter -
reporter - changed status to resolved
PR merged
-
- changed component to FAPI2: Security Profile
- Log in to comment
+1 to simply simplify