> -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Brian Campbell > Sent: Tuesday, March 29, 2011 3:32 PM > To: oauth > Subject: [OAUTH-WG] Question on scope when refreshing an access token > > I'm a bit confused by the text at the end of the definition of the scope > parameter in section 6 on Refreshing an Access Token[1]. It says, > > "... The requested scope MUST be equal or lesser > than the scope originally granted by the resource owner, and if > omitted is treated as equal to the previously approved scope." > > In particular, what is the 'previously approved scope'? Is it the same as the > originally granted scope? Or is it the most recent scope successfully > requested when refreshing? If the latter, does this imply that an AS > implementation must store both the original scope and the previously > requested scope? Or is it something else? > > Perhaps a better question is what is the use case behind this text? I assume > it's some kind of down-scoping (& I apologize if this has been discussed > before and I missed it) but the intent isn't clear to me nor is it clear what > exactly is required by the spec.
Yep, just down-scoping. It is there to make sure that whatever the resource owner approved is always the most permissive scope granted. Do I need to make it clearer? EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
