...
- How does the AM learn details about the Host? It needs to know
- it's name, description, maybe TOS
- which resources are available and to be configured
- How to do AM and Host work to together? Shouldn't the policies maybe be defined on the Host as it knows much more about the semantics of it's own resources. It might then send profile identifiers to the AM which this can protect (or so..)
- Is there a distinction in claims about the requester and claims about the requesting party? (e.g. requester "allow access to newspaper.com because I just talked to them", requesting party: "needs to be older than 18").
Brainstorming
- Would it also makes sense the other way round in that the AM actually retrieves an Access Token from the Host? That way the AM could serve as a proxy and more or less relay an access token produced on the Host to the Requester while still doing auditing and maybe filtering access according to some policies (but then again: Wouldn't these policies be better handled on the Host side anyway?).
...