I think such things are better dealt with extensions. I do not like to overload "scope".
=nat On Sat, Nov 27, 2010 at 5:26 AM, Igor Faynberg <igor.faynb...@alcatel-lucent.com> wrote: > In the context of Martin's question (which concerns end-users understanding > and resulting actions), I interpret the citation as follows: The end-user > has no control over the value of the "scope" parameter, and, given that "it > is defined by the authorization server," the end-user is not expected even > to understand this value. Granted, an implementation can of course fix this > specific issue, but the standard does not address it. > > Overall, I do tsee this is a drawback of 2.0, which needs to be fixed by > careful specification of the "scope" values in the future, but I know that > 2.0 needs to be out and that it has high-priority items (such as security) > to be dealt with right now. I don't want to delay 2.0 by suggesting drastic > changes in the design decisions, so I am not harping on the seeming > irrelevance of the end-user. > > With the view of OAuth evolution though, I would like to see the whole token > standardized, with the end-user having the overall control of the > token--even if in the default situation it is still prepared by the > authorization server-- with the ability to assign or change (or both) any > value contained in it. > > Igor > > > Eran Hammer-Lahav wrote: >> >> -10 4.2: >> >> scope >> OPTIONAL. The scope of the access token as a list of space- >> delimited strings. The value of the "scope" parameter is >> defined by the authorization server. If the value contains >> multiple space-delimited strings, their order does not matter, >> and each string adds an additional access range to the >> requested scope. The authorization server SHOULD include the >> parameter if the requested scope is different from the one >> requested by the client. >> >> EHL >> >> >>> >>> -----Original Message----- >>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >>> Of Martin Ley >>> Sent: Friday, November 26, 2010 12:41 AM >>> To: oauth@ietf.org >>> Subject: [OAUTH-WG] Requesting mutliple scope, but user authorizes not >>> all >>> >>> Dear list, >>> >>> perhaps I've overread it in the specification or it was not explicit >>> about my >>> required scenario: >>> >>> >>> The Web-Server-Flow is used. An application requests data about the user. >>> The scopes are dateofbirth,isover18,address. Now the user is forwarded to >>> the authorization server to identify and authenticate and give >>> permissions to >>> the applications. The user decides to give only permission for the >>> isover18 >>> scope but not dateofbirth and address. >>> >>> How would the application be notified about the granted scopes and the >>> not >>> granted scopes? >>> >>> Best regards >>> >>> Martin >>> >>> >>> -- >>> tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH >>> Geschäftsführer: Boris Esser, Elmar Geese HRB AG Bonn 5168 - USt-ID >>> (VAT): >>> DE122264941 >>> >>> Heilsbachstraße 24, 53123 Bonn, Telefon: +49 228 52675-0 >>> Thiemannstraße 36a, 12059 Berlin, Telefon: +49 30 5682943-30 >>> Internet: http://www.tarent.de/ Telefax: +49 228 52675-25 >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura (=nat) http://www.sakimura.org/en/ http://twitter.com/_nat_en _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
