As I understand, after application A has achieved bearer token, it can share it with client B. But what if client A wants to share token with reduced set of permissions from those that are delegated to it.
For example: I have server that hosts statistics (let's call it S) and it has OAuth2 API. Also there is report server (let's call it R).
Client (C) logs in to the S and do some manipulations with statistics. C can only interact with statistics that is owned by him. C also wants to view reports from R: C -- get report --> R -- get statistics --> S -- statistics --> R -- report --> C
- I don't want to give full access privileges (no authorization at all) to the report server, because users can add their own reports which can accidentally corrupt or see statistics of other users;
- I don't want to give bearer token issued for A to the report server, because report may accidentally corrupt statistics owned by A. A can read and write, but R only need to see data.
I'm searching a way to delegate reduced set of permissions to server R in a way transparent to the end user (without additional username and password or/and confirmation requests).
Can this fit into the OpenID concept or I should implement my own protocol at the top of OAuth2? Maybe there are other solutions?
