resource
Registry Context
The `resource` parameter lets a client identify the protected API or service for which it is requesting access. Its value must be an absolute URI without a fragment, and the client should generally use the most specific applicable API base URI.
Technical Summary
RFC 8707 defines `resource` for authorization requests and access token requests. Each value is an absolute URI without a fragment; a query component is discouraged but may be useful for application scoping. Multiple parameter instances can identify multiple target resources.
When Used
Authorization requests to the authorization endpoint and access token requests to the token endpoint.
Normative Requirements
Clients
RFC 8707 - Section 2
provide the most specific URI it can for the complete API or set of resources it intends to access.
Condition: When selecting a `resource` value.
The client SHOULD provide the most specific URI
RFC 8707 - Section 2
use the base URI of the API as the `resource` parameter value.
Condition: Unless specific knowledge of the resource dictates otherwise.
The client SHOULD use the base URI of the API
RFC 8707 - Section 2
indicate the protected resource by including the `resource` parameter in a request to the authorization server.
Condition: When requesting access from the authorization server.
a client MAY indicate the protected resource
RFC 8707 - Section 2
use multiple `resource` parameters to indicate that the requested token is intended for multiple resources.
Condition: When requesting a token usable at multiple resources.
Multiple resource parameters MAY be used
Authorization servers
RFC 8707 - Section 2
audience-restrict issued access tokens to the resources indicated by the `resource` parameter.
Condition: When issuing access tokens for indicated resources.
The authorization server SHOULD audience-restrict issued access tokens
RFC 8707 - Section 2.1
process an authorization request with no specific resource or with a predefined default resource value.
Condition: If the client omits the `resource` parameter.
the authorization server MAY process the request
RFC 8707 - Section 2.1
require clients to specify the resources they intend to access.
Condition: As an alternative to processing omitted `resource` parameters with no resource or a default.
the authorization server MAY require clients to specify the resource(s)
RFC 8707 - Section 2.1
fail an authorization request with an `invalid_target` error.
Condition: If the client omits a required `resource` parameter.
MAY fail requests that omit the parameter with an invalid_target error
resource parameter URI value
RFC 8707 - Section 2
be a locator corresponding to a network-addressable location where the target resource is hosted.
MAY be a locator
resource parameter value
RFC 8707 - Section 2
be an absolute URI.
Condition: When the `resource` parameter is present.
Its value MUST be an absolute URI
resource URI
RFC 8707 - Section 2
include a fragment component.
Condition: When used as a `resource` parameter value.
The URI MUST NOT include a fragment component
RFC 8707 - Section 2
include a query component.
Condition: Unless a query component is useful and necessary, such as for scoping requests to an application.
It SHOULD NOT include a query component
Validation Guidance
Reject `resource` values that are not absolute URIs or that contain a fragment component.
Warn when a `resource` URI includes a query component unless the query is useful and necessary for application scoping.
Support repeated `resource` parameters for requests targeting multiple resources.
Prefer the most specific applicable API base URI when generating a `resource` value, unless specific resource knowledge dictates otherwise.
Audience-restrict issued access tokens to the indicated resources.
Apply documented authorization-server policy when `resource` is omitted: process without a specific resource, use a default, or require the parameter and return `invalid_target`.
Security Notes
RFC 8707 - Section 2
The authorization server should audience-restrict issued access tokens to the resources indicated by the `resource` parameter. It may use the exact value or map it to a more general URI or abstract resource identifier.
Reference
Details
- Entry Id
resource- Name
resource- Parameter Usage Location
authorization request, token request- Change Controller
IESG- Reference
RFC8707