The HIE of One project is also built around an Authorization Server receiving Client requests presented according to the IETF GNAP protocol rather than OAuth. A Request includes one or more W3C Verifiable Credentials, a scope, a purpose. GNAP behaves as a sort of state machine to enable flexible implementations of the sequence in Tiered OAuth.
If the Authorization Server implements both UDAP and GNAP, would the Resource Server target of the Authorization know or care how the request was made?
I'm particularly curious about Authorization as a Capability and which capability standards might be used to improve security around the Resource Server.
- Adrian