oauth2.dev

protected_resources

IETF

Registry Context

The protected_resources authorization server metadata field lets an authorization server publish an optional list of OAuth protected resource identifiers that can be used with it.

Technical Summary

protected_resources is an optional OAuth Authorization Server Metadata parameter whose value is a JSON array of resource identifiers for OAuth protected resources usable with the authorization server. The authorization server may omit supported protected resources from the list.

When Used

Used when the set of legitimate protected resources that can be used with the authorization server is enumerable.

Normative Requirements

Authorization servers

MAY
1
  1. RFC 9728 - Section 4

    May choose not to advertise some supported protected resources..

    Condition: When protected_resources is used.

    Authorization servers MAY choose not to advertise some supported protected resources even when this parameter is used.

OPTIONAL
1
  1. RFC 9728 - Section 4

    May include protected_resources in its authorization server metadata as a JSON array of resource identifiers for OAuth protected resources that can be used with the authorization server..

    protected_resources OPTIONAL. JSON array containing a list of resource identifiers for OAuth protected resources that can be used with this authorization server.

Validation Guidance

error

If protected_resources is present, verify that it is a JSON array containing resource identifiers for OAuth protected resources that can be used with the authorization server.

info

Do not treat omission of a protected resource from protected_resources as proof that the authorization server does not support that resource.

info

When an application profile uses both authorization server and protected resource metadata lists, cross-check the lists for consistency.

Reference

Details

Entry Id
protected_resources
Metadata Name
protected_resources
Metadata Description
JSON array containing a list of resource identifiers for OAuth protected resources
Change Controller
IETF
Reference
RFC9728 - Section 4