"If the Access Token has expired or is invalid, the Protected
Resource MUST return: HTTP 401 Unauthorized"
But how about informing the client about how to aquire an access
token? The response could for instance be:
Thereby telling the client which end-point URL(s) it should (could)
aquire an access token from.
Is there any standard for this kind of information? It would make the
client less dependent on apriori knowledge about end-points.
This is an interesting idea and has been suggested a few times in the Oauth
world. This idea is very similar to how web applications issue a redirect to
the browser to the URL of the application's Login server if the user isn't
currently logged into the website.
A potential issue is that some service providers might accept credentials
from multiple auth servers. For example, a SaaS vendor might accept
credentials that are issued by any of their customers. It might not be a
good idea for the SaaS endpoint to return a list of URLs for all of their