OPDS: Issues with acquisition across domains

[mpdunlop]

• If an OPDS Bookshelf that requires authentication is hosted on a domain (e.g. https://bookshelf.contoso.org/purchased.json)
• The OAuth Server on a different domain to that, (e.g. https://auth.contoso.org/connect/authorize); and
• An OPDS publication's acquisition link is on a different domain (e.g. https://download.contoso.org/epub/1d5235d7-044d-46b1-bc8e-913868f20003.epub)

Thorium does not pass the access_token obtained from the OAuth response at auth.contoso.org to download.contoso.org and the request will fail to authenticate.

It appears that the authorization response's bearer token is cached against the OPDS Feed's domain (bookshelf.contoso.org) which can not later be retrieved by Thorium when using download.contoso.org as a lookup.

To see if it would work, I attempted to return an OPDS Authentication Document when accessing an acquisition link and the request was missing a bearer token. I hoped that the id of the OPDS Authentication Document would be used to look up the existing bearer token, but this also failed to work.

What is the correct way to represent this data and give the user a seamless experience?