+1 How about if the Protected Resource returns an HTTP 302 redirect to the Auth URL? The scope information can be encoded in the URL.
Allen On 4/1/10 9:07 PM, "Luke Shepard" <lshep...@facebook.com> wrote: > > On Apr 1, 2010, at 6:59 PM, Peter Saint-Andre wrote: >> >> If that's true, then how does the Authorization Server know what scope >> is appropriate at the Protected Resource? Does inclusion of the scope >> parameter require a 1:1 mapping between AS and PR, or at least >> communication between AS and PR? > > My preferred way of handling this is to have the Protected Resource throw a > 403 Forbidden error, with an error message that specifies the scope needed - > e.g., "oauth_scope_required=photo_read". > > So an app that tries to access a protected resource should be able to > programatically take the scope in the error message and then construct an > OAuth authorization request to get that permission from the user. Even if the > scope is totally opaque, it should still be possible for a library to handle > them in this way. > > I believe David or Eran were thinking of writing this into the spec? > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
