protected_ resources
Registry Context
The protected_resources authorization server metadata field lets an authorization server publish an optional list of OAuth protected resource identifiers that can be used with it.
Technical Summary
protected_resources is an optional OAuth Authorization Server Metadata parameter whose value is a JSON array of resource identifiers for OAuth protected resources usable with the authorization server. The authorization server may omit supported protected resources from the list.
When Used
Used when the set of legitimate protected resources that can be used with the authorization server is enumerable.
Normative Requirements
Authorization servers
RFC 9728 - Section 4
May choose not to advertise some supported protected resources..
Condition: When protected_resources is used.
Authorization servers MAY choose not to advertise some supported protected resources even when this parameter is used.
RFC 9728 - Section 4
May include protected_resources in its authorization server metadata as a JSON array of resource identifiers for OAuth protected resources that can be used with the authorization server..
protected_resources OPTIONAL. JSON array containing a list of resource identifiers for OAuth protected resources that can be used with this authorization server.
Validation Guidance
If protected_resources is present, verify that it is a JSON array containing resource identifiers for OAuth protected resources that can be used with the authorization server.
Do not treat omission of a protected resource from protected_resources as proof that the authorization server does not support that resource.
When an application profile uses both authorization server and protected resource metadata lists, cross-check the lists for consistency.
Reference
Details
- Entry Id
protected_resources - Metadata Name
protected_resources - Metadata Description
JSON array containing a list of resource identifiers for OAuth protected resources- Change Controller
IETF- Reference
RFC9728 - Section 4