On Apr 1, 2010, at 6:59 PM, Peter Saint-Andre wrote: If that's true, then how does the Authorization Server know what scope is appropriate at the Protected Resource? Does inclusion of the scope parameter require a 1:1 mapping between AS and PR, or at least communication between AS and PR?
My preferred way of handling this is to have the Protected Resource throw a 403 Forbidden error, with an error message that specifies the scope needed - e.g., "oauth_scope_required=photo_read". So an app that tries to access a protected resource should be able to programatically take the scope in the error message and then construct an OAuth authorization request to get that permission from the user. Even if the scope is totally opaque, it should still be possible for a library to handle them in this way. I believe David or Eran were thinking of writing this into the spec?
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth