Closed michielbdejong closed 2 weeks ago
It's AS chaining, not shopping cart + checkout! So different from lodging intent flow Reason is that the AS doesn't understand the fine-grained RO admin access, so it can't know what the max scope is.
Between AS and RH use a stripped-down authorization code flow, + view API
another security consideration: don't give access to 'my billing', because the AS doesn't know who the RO on the RS is