[Openid-specs-ab] YATVE (Yet Another Token Validation endpoint)

AOLのトークン検証エンドポイント仕様。JWTなATの署名などを検証後、そこに入ってるuidがRSにおいて連携済みかどうか確認。もし連携済みならATをAuthZ Svrに投げる。ASはATが有効ならuidのみを返す(性能的に有利)。UserInfo的な何かはPoCo

Another interesting issue regarding the CDN is authorization. Ourcontent, and the tenants’ content, is not to be freely handed out. So,even though a given resource (for a given tennant) is cached at theCDN, it can’t just be handed over. The CDN is not wired in as aresource server checking out our token store etc., so it cannot dealwith the OAuth token itself. Both Akamai and Edgecast, for example,can be set up to forward requests to the origin server forauthorization. All information (method, URI, headers, params) are madeavailable, so just like any other request, I can verify the token andtenant ID, and indicate whether or not the CDN is to return the cacheobject (and perhaps update it with a new version) or not.

There is obvious overhead to this forwarding for authorization, but I don’t see another way around it.

Code abstraction for API in large projects - Google グループ CDNとOAuth