Would a token grant access to anything more specific than the provided resource, or would it be only for that specific resource? (e.g. should a token for https://example.com/alice/ also work on https://example.com/alice/feed)
Giving meaning to the URLs like this is convenient but may be misleading or break security boundaries in unexpected ways.
An alternative would be to include another parameter, such as the previously discussed "realm", or somehow using scopes for this.
(copying from the wiki)
Would a token grant access to anything more specific than the provided resource, or would it be only for that specific resource? (e.g. should a token for
https://example.com/alice/
also work onhttps://example.com/alice/feed
)