The current spec defines scope (when the scope variable is introduced) as:
scope
OPTIONAL. The scope of the access request expressed as a list
of space-delimited strings. The value of the "scope" parameter
is defined by the authorization server. If the value contains
multiple space-delimited strings, their order does not matter,
and each string adds an additional access range to the
requested scope.
I think the last phrase is adding semantics that may not be true, and that the
following is more accurate:
scope
OPTIONAL. The scope of the access request expressed as a list
of space-delimited strings. The value of the "scope" parameter
is defined by the authorization server. If the value contains
multiple space-delimited strings, their order does not matter.
A authorization server may define some scope parameters that add restrictions
to the access rather than are additive. For example, scope could be defined by
an AS as one or more resources (PHOTOS PROFILE FRIENDS) and the type of access
(READ WRITE READWRITE)
-- Dick
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
