On Fri, Aug 17, 2018 at 1:34 AM, Eve Maler <eve@xmlgrrl.com> wrote:
Fourth, Adrian, you bring up the challenges of client app trust, particularly in the context of a loosely coupled AS and RS (which UMA has done a lot of deep work around, but which is starting to creep into the OAuth WG's thinking a bit now too). If there were outputs from the meeting in DC that describe the requirements around warnings, can we take a look? It's a bit odd to say that it's the RS that doesn't trust the client app, given that the RS doesn't really have a relationship with the client; the AS does. (The AS is what issues and checks client credentials.)Don't know about the requirements, but yeah, we can take a look :)Agree that AS is the main authority. But I think RS can also decide whether or not a client is trustworthy. Even if backed by information from AS. For instance, what if RS only allow access from Client X if authentication level is Y ?