We have these clauses for Resource Servers
shall verify that the scope of the access token authorizes the access to the resource it is representing ... shall identify the associated entity to the access token shall only return the resource identified by the combination of the entity implicit in the access and the granted scope and otherwise return errors as in section 3.1 of [@!RFC6750]
I’m not sure how we can test them and I’m not sure about the language.
We need to consider that some RS endpoints will be POST / PATCH / PUT, i.e. an action is being performed rather than just a resource being returned.
Can we not simply the above 3 clauses to something like:
shall verify that the authorization represented by the access token is sufficient for the requested resource access