OAuth for multi-homed Data

February 2024

In my previous blogpost I started thinking about multi-homed data and access control, and this topic is still fascinating me.

OAuth is a very successful framework for API access control. It seems data spaces could be built using OAuth in each link. This is a bit of a paradigm shift though. First of all, there will often be a requesting party like in UMA, and this is not necessarily the resource owner. This is already an accepted evolution of OAuth.

Second, for multi-homed data, each client becomes a potential additional resource server itself. Each time access is granted, the boundary of the trust domain changes to include this new network node. This is already incorporated in how Open Cloud Mesh handles resharing, but OAuth just focuses on a single link in the network.

Like in the work on [OAuth scope pickers](https://github.com/pondersource/surf-token-based-access) I'm doing with SURF, auth servers will need to be more decoupled from resource servers, so dynamic scopes need to be supported.

And like in the work on [Open Cloud Mesh](https://github.com/cs3org/OCM-API/issues/80), the flow may not necessarily start at the client, it could be a "RS-first" flow.