I'm a bit confused by the text at the end of the definition of the
scope parameter in section 6 on Refreshing an Access Token[1]. It
says,
"... The requested scope MUST be equal or lesser
than the scope originally granted by the resource owner, and if
omitted is treated as equal to the previously approved scope."
In particular, what is the 'previously approved scope'? Is it the
same as the originally granted scope? Or is it the most recent scope
successfully requested when refreshing? If the latter, does this imply
that an AS implementation must store both the original scope and the
previously requested scope? Or is it something else?
Perhaps a better question is what is the use case behind this text? I
assume it's some kind of down-scoping (& I apologize if this has been
discussed before and I missed it) but the intent isn't clear to me nor is
it clear what exactly is required by the spec.
Thanks for any info,
Brian
[1] link to draft 13:
http://tools.ietf.org/html/draft-ietf-oauth-v2-13#section-6 and the
most recent preview of 14 has the same text.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
