In the context of Martin's question (which concerns end-users
understanding and resulting actions), I interpret the citation as
follows: The end-user has no control over the value of the "scope"
parameter, and, given that "it is defined by the authorization server,"
the end-user is not expected even to understand this value. Granted, an
implementation can of course fix this specific issue, but the standard
does not address it.
Overall, I do tsee this is a drawback of 2.0, which needs to be fixed by
careful specification of the "scope" values in the future, but I know
that 2.0 needs to be out and that it has high-priority items (such as
security) to be dealt with right now. I don't want to delay 2.0 by
suggesting drastic changes in the design decisions, so I am not harping
on the seeming irrelevance of the end-user.
With the view of OAuth evolution though, I would like to see the whole
token standardized, with the end-user having the overall control of the
token--even if in the default situation it is still prepared by the
authorization server-- with the ability to assign or change (or both)
any value contained in it.
Igor
Eran Hammer-Lahav wrote:
-10 4.2:
scope
OPTIONAL. The scope of the access token as a list of space-
delimited strings. The value of the "scope" parameter is
defined by the authorization server. If the value contains
multiple space-delimited strings, their order does not matter,
and each string adds an additional access range to the
requested scope. The authorization server SHOULD include the
parameter if the requested scope is different from the one
requested by the client.
EHL
-----Original Message-----
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
Of Martin Ley
Sent: Friday, November 26, 2010 12:41 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Requesting mutliple scope, but user authorizes not all
Dear list,
perhaps I've overread it in the specification or it was not explicit about my
required scenario:
The Web-Server-Flow is used. An application requests data about the user.
The scopes are dateofbirth,isover18,address. Now the user is forwarded to
the authorization server to identify and authenticate and give permissions to
the applications. The user decides to give only permission for the isover18
scope but not dateofbirth and address.
How would the application be notified about the granted scopes and the not
granted scopes?
Best regards
Martin
--
tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH
Geschäftsführer: Boris Esser, Elmar Geese HRB AG Bonn 5168 - USt-ID (VAT):
DE122264941
Heilsbachstraße 24, 53123 Bonn, Telefon: +49 228 52675-0
Thiemannstraße 36a, 12059 Berlin, Telefon: +49 30 5682943-30
Internet: http://www.tarent.de/ Telefax: +49 228 52675-25
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
