WRAP includes a loosely defined scope parameter which allows for vendor-specific (and non-interoperable) use cases. This was requested by many working group members to be included in OAuth 2.0 with the argument that while it doesn't help interop, it makes using clients easier.
The problem with a general purpose scope parameter that is completely undefined in structure is that it hurts interop more than it helps. It creates an expectation that values can be used across services, and it cannot be used without another spec defining its content and structure. Such as spec can simply define its own parameter. In addition, it is not clear what belongs in scope (list of resources, access type, duration of access, right to share data, rights to re-delegate). The rules should be that if a parameter cannot be used without another documentation, it should be defined in that other document. Proposal: Request proposals for a scope parameter definition that improve interop. Otherwise, keep the parameter out of the core spec. EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
