This specification defines the "Frdlweb API Specification".
Please note that this draft is a work in progress and will be updated or changed in the future.
An "Frdlweb API" implements a specific subset of API specifications, provides the "Frdlweb API Workflow" and the "Frdlweb API Metadata".
Frdlweb API Workflow
An Frdlweb API implements
Flow 1) The consumer may use the access_token provided by the Oauth2 Authorization Server to do an authorized request on behalf of the End-User to one of the associated JSON-RPC Servers.
The Cliet Request SHOULD specifify the access_token as "Bearer" Token in the "Authorization"-Header and the "X-Authorization"-Header of the request.
Flow 2) The consumer may use the access_token to request a protected resource which hands auth an time-limited username and password to the client to access the RPC Server methods using Digest-Auth.
If the JSON-RPC Request is a batch-request, the server MUST validate the token and its scope on each requested API method, meaning the scope/token cannot issue a complete request but a single RPC method.
The OAuth Server Origin and the JSON-RPC Server Origin must not be the same. In that case the servers may use the OAuth 2.0 Introspection Protocol to validate a token, as the RPC method requests a protected resource, but this is out of the scope of this specification.
Frdlweb API Metadata
An Frdlweb API Server MUST provide metadata documents, at least one root metadata document.
The metadata MUST refer to at least