Good afternoon,
We're in the process of implementing an open-source Ruby OAuth 2 (draft 09)
server, which will be made available at http://github.com/aflatter/oauth2-ruby.
During our draft 09 analysis we've noticed that the OPTIONAL scope sent by the
client in the Authorization Request is disconnected from the Authorization
Response scope in a way that, in our opinion, makes it hard for the client to
know if his requested scope was met or not.
For example, consider a scenario where a client issues an authorization code
request to the authorization server, including in that request the scope
"friends photos videos". However, the resource owner only authorizes the access
to the friends list, thus, in our opinion, the authorization server MUST send
an authorization response containing the code and the following scope "friends".
Also, should the authorization server wish to append other scopes, it should be
free to do so, per current draft specification. In that regard, it would be
possible for the response to have the following scope: "friends
extended_user_info".
In light of this opinion, we enclose the following text change request
regarding draft 9 section 3.1 scope parameter:
scope
REQUIRED if it has been passed in the authorization request, otherwise
OPTIONAL.
This parameter delimits the scope of the access token as an unordered
list of
space-delimited strings, each adding an additional access range to the
requested
scope.
The value of the "scope" parameter is defined by the authorization
server and
MUST take into account the "scope" requested in the authorization
request by setting the
authorization response "scope" parameter to the values to which the
token grants access.
Furthermore, the authorization server can add any other values deemed
necessary
to determine response scope.
Best regards,
Diogo Almeida
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
