On Mon, May 24, 2010 at 10:04 PM, Manger, James H <james.h.man...@team.telstra.com> wrote: >> How does the authz >> server know how to partition the scopes to the multiple tokens? One >> scope per token? What if an API requires multiple scopes? > > An AS will generally know a fair bit about the services for which it is > issuing access tokens -- at least which services require what sort of token.
Ideally the AS should not have intimate knowledge of the services, that does not scale. Also, the client is requesting access to a set of scopes, and not to a set of services, not always the same thing. > For situations where the client app has more knowledge than the AS on how > tokens will be used, the client app could tell the AS how to partition tokens > with another parameter in the user-uri (though OAuth2 doesn't necessarily > have to standardise such a parameter now). I think this complicates the spec quite a bit. Down-scoping really solves the problem and keeps the spec simple. The only drawback is that extra calls are needed. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
