Clarify semantics of "access" element
yaronf opened this issue · 0 comments
YS: Introspection: semantics of the access element in the request is not clear, and it may be easier to remove it completely. Otherwise, we should say that the access element in the response MUST be filtered per the request. On a related note: is it explicitly stated anywhere that an empty access array means no access is allowed?
JR: This is the RS telling the AS “in order to access me (RS), the token needs to have at least these access elements”. The AS can use that information to determine whether the token in question meets that set of requirements. An empty access array (in the response) does not mean no access is allowed, it means that no access is specified. In all cases, the RS makes the final determination of whether and how to serve the request.