Providing selective access to resources

We claim: 1 . A non-transitory machine-readable storage medium encoded with instructions executable by a hardware processor of a computing device for providing selective access to resources, the machine-readable storage medium comprising instructions to cause the hardware processor to: receive, from an authorization server, an access token for accessing resources associated with a first resource server; provide the authorization server with the access token and a request to access the first resource server; receive, from the authorization server, a first token, the first token specifying a first set of permissions for accessing the first resource server and, as a first audience, the first resource server, the first set of permissions being specified by a client topology, the client topology specifying: the first resource server; the first set of permissions for accessing the first resource server; a second resource server, and a second set of permissions for accessing, by the first resource server, the second resource server; and provide the first resource server with a resource request for a resource, the resource request including the first token. 2 . The storage medium of claim 1 , wherein the access token grants no permissions. 3 . The storage medium of claim 1 , wherein the instructions further cause the hardware processor to: provide the authorization server with the client topology. 4 . The storage medium of claim 1 , wherein: the resource request specifies a request for particular user data stored by the second resource server specified by the client topology; and the second set of permissions includes at least one permission that is different from the permissions included in the first set of permissions. 5 . The storage medium of claim 4 , wherein: the second set of permissions is an only set of permissions, specified by the client topology, for accessing the second resource server; and the client topology further specifies, as an only source associated with the second set of permissions, the first resource. 6 . The storage medium of claim 4 , wherein the instructions further cause the hardware processor to: receive, from the first resource, the particular user data. 7 . The storage medium of claim 1 , wherein the instructions further cause the hardware processor to: generate the client topology based on permissions data received from an entity that manages the first resource server, the permissions data specifying, for each of a plurality of resource servers associated with the first resource server, at least one other resource server of the plurality of resource servers and, for each of the at least one other resource servers, permissions granted to the other resource server. 8 . A computing device for providing selective access to resources, the computing device comprising: a hardware processor; and a data storage device storing instructions that, when executed by the hardware processor, cause the hardware processor to: receive, from a client application, a client request to access a first resource server, the client request including a client access token specifying, as a client audience, the client application; in response to receiving the client request, identify a first set of permissions for accessing, by the client application, the first resource server, the first set of permissions being specified by a client topology for the client application, the client topology specifying: the first resource server; the first set of permissions for accessing, by the client application, the first resource server; a second resource server, and a second set of permissions for accessing, by the first resource server, the second resource server; provide the client application with a first access token, the first access token specifying the first set of permissions and, as a first audience, the first resource server, receive, from the first resource server, a first resource request to access the second resource server, the first resource request including the first access token; and in response to receiving the first resource request, provide the first resource server with a second access token, the second access token specifying the second set of permissions and, as a second audience, the second resource server. 9 . The computing device of claim 8 , wherein the instructions further cause the processor to: receive, from the client application, the client topology; 10 . The computing device of claim 8 , wherein the instructions further cause the processor to: receive, from the client application, a client sub-topology, the client sub-topology specifying: the first resource server; and the first set of permissions; receive, from the first resource server, a first resource sub-topology, the first resource sub-topology specifying: the second resource server; and the second set of permissions; and generate the client topology using the client sub-topology and the first resource sub-topology. 11 . The computing device of claim 8 , wherein the second set of permissions includes at least one permission that is different from permissions included in the first set of permissions. 12 . A method for providing selective access to resources, implemented by a hardware processor, the method comprising: receiving, from a client device, i) a client request for user data, and ii) a first token specifying a first audience and a first set of permissions; providing an authorization server with a token request, the token request including i) the first token, and ii) a request to access a resource server; receiving, from the authorization server, a resource server token, the resource server token specifying a second audience and a second set of permissions, the second audience being the resource server; providing the resource server with i) a resource request for the user data, and ii) the resource server token; receiving, from the resource server, the user data; and providing the user data to the client device. 13 . The method of claim 12 , wherein the second set of permissions includes at least one permission that is different from permissions specified by the first set of permissions. 14 . The method of claim 12 , further comprising: providing the authorization server with a resource sub-topology that specifies, for each of a plurality of resource servers, at least one set of permissions for accessing the resource server, and wherein the first set of permissions is specified by the resource sub-topology. 15 . The method of claim 12 , further comprising: providing a resource sub-topology to a client associated with the client device, the resource sub-topology specifying, for each of a plurality of resource servers, at least one set of permissions for accessing the resource server, and wherein the first set of permissions is specified by the resource sub-topology.