The oauth_resource_indicators features allows to scope a grant to a (or a group of) specific resources, identified by a URL.
Applications which require different access levels per resource server, and to prevent “scope leaks”, where a token with certain permissions is compromised, but cannot affect other resource servers besides the one which leaked.
plugin :rodauth do
enable :oauth_authorization_code_grant, :oauth_resource_indicators
end
Enabling the :oauth_resource_indicators enables the support of the “resource” param in the following URLs.
"resource": The resource (or resources) which the grant is scoped to.Example: https://oauth-server.com/authorize?client_id=23uhu23d89u3298du21j38q&redirect_uri=https%3A%2F%2Fclient.com%2Fcallback&scope=bricks.build+bricks.destroy&state=23r0rif3j0923j&resource=https%3A%2F%2Fcal.example.com%2F&resource=https%3A%2F%2Fcontacts.example.com%2F
"resource": The resource (or resources) which the grant is scoped to."resource": The resource (or resources) which the token is scoped to (when there’s an associated grant, the resources should be a subset or all the resources the grant is scoped to.Resource Indicators can also be used with oauth_jwt (resources will be set as an array in the "aud"claim from JWT access tokens).
When used with the oauth_token_introspection feature, the instrospection response contains the resources under the "aud" field.