Today the definition of scope is vague. But I have seen mails on this list
(such as Lukas Rosenstock's post
http://www.ietf.org/mail-archive/web/oauth/current/msg03560.html which is just
one example) that assert that scope represents the permissions that a client is
requesting.
When we use scope (going back to its introduction in WRAP) we used it primary
for two legged OAuth as a way for a client to tell a token endpoint what
audience (in the SAML sense) it wanted a token for. This had nothing to do with
the specific permission being requested. We used other claims for that.
I am not asking the group to agree with our usage. But I do want to check if
the language in the spec (which really doesn't define scope very tightly) is
actually consistent with what is in people's heads. Does the group see scope as
a generally undefined entity that has to be defined in context (one such
context could be that scope represents requested permissions) or do they see it
just as a place to stick requested permissions?
What say you?
Thanks,
Yaron
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
