I realized that we had an unstated MAY here. Instead of trying to squish the statement into the RReg "protected resource" definition as before, I've now broken this out into a paragraph in RReg Sec 2, Resource Registration, as follows:
"A resource server MAY register and manage as a single protected resource a set of digital data or API endpoints that, from its perspective, consists multiple parts, has dynamic elements, or otherwise has internal complexity; it alone is responsible for maintaining any required mappings between this complexity and the resource identifier known to the authorization server."
This is something that, in fact, the HEART group has been facing in its discussions about the FHIR API, and other APIs that are working on UMA protection will face it as well (though FHIR has the worst of it since it's a complex API).
Let me know what you think.
Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl