It doesn't disallow asking the user. The server is allowed to ignore the scope requested by the client. It can also define 'default scope' to mean 'prompt user' and document that.
EHL > -----Original Message----- > From: Andreas Åkre Solberg [mailto:andreas.solb...@uninett.no] > Sent: Monday, January 23, 2012 1:23 AM > To: Eran Hammer > Cc: William Mills; oauth@ietf.org > Subject: Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in > Specification > > Den 20. jan. 2012 kl. 21:32 skrev Eran Hammer: > > > New text added to Access Token Scope section: > > > > If the client omits the scope parameter when requesting > authorization, the authorization > > server MUST process the request using a pre-defined default > > value, or > fail the request > > indicating an invalid scope. > > Will this change imply that implementing a more dynamic approach to issuing > scopes, such as in example asking the user which scope should be issued to > the consumer, will be explicitly disallowed, while it was accepted before this > text was added? > > I think this section of the text does not solve the initial problem that > started > this thread, and I think it adds unneccessary restrictions. > > > The authorization server SHOULD document its scope > > requirements and default value (if defined). > > This makes more sense to me. > > Andreas _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
