I spent time googling and searching SO for an answer to this.
I am looking into OAuth and access control while studying for a certification. The access token has the user-authorized scopes for the client app. Since the user has ownership of its resources and is explicitly authorizing a client app access, this seems like a Discretionary Access Control method. However, some (personal) websites toss out the term ABAC (Attribute Based Access Control) without providing good justification.
The RFC's relating to JWT (RFC 7519) and Access Tokens (RFC 6749) have not answered my question in a way that I recognize.
Am I asking the wrong question or is the answer something other than DAC, ABAC or RBAC (roles-based access control)?
I did find this one question which seems to give support to my DAC claim.
