I have a general question on delegation with OAuth2. I watched a great tutorial by Dave Syer on microservices security. As far as I understand he suggests that individual microservices will be Resource servers. Which is totally fine.
I also read a token relay section from spring cloud security which to my understanding makes your life easier when you plan to forward tokens (but not much more).
The token relay is really acting on behalf of the user (or upstream service). Is there any limitation on which Resource server is allowed to perform which operations on behalf of the user? Because to me the fact that the user is allowed to perform an operation is not the same as any resource server is allowed to perform that operation on user's behalf.
I remember this from Kerberos where it was big deal to do delegation. Individual services were getting permissions via SPNs to where they can delegate to (to me it was always horrible to setup but I understood it as necessary).
Is this considered implementation detail in OAuth2 or am I missing some obvious concept there?
