14 June meeting

[michielbdejong]

• subdance
• login hint from AS to RH not necessary; SURFConext has cookies!
• use GNAP-RS
• RH displays "shopping cart"
• AS displays "checkout", and the rest of token management, revocation etc
• resource helper should provide info to add into the token? -> check how GNAP-RS does this
• viewer API on RH (careful: only show things the currently logged-in user is authorised to view)
• granting write access to publicly readable resources -> don't specify access rights larger than the current user has!

[michielbdejong]

It's AS chaining, not shopping cart + checkout! So different from lodging intent flow Reason is that the AS doesn't understand the fine-grained RO admin access, so it can't know what the max scope is.

Between AS and RH use a stripped-down authorization code flow, + view API

[michielbdejong]

another security consideration: don't give access to 'my billing', because the AS doesn't know who the RO on the RS is