In most cases, it will likely be a fixed value, but there's nothing
indicating that it can't be contextual. Especially in cases where you've
got public, confidential, and dynamically-registered clients all acting
on the same host, the default value will depend completely on what kind
of client is asking.
Really, this is a way of saying "scope is up to the AS", which it is,
even if the client asks for something else.
-- Justin
On 02/12/2012 11:44 PM, Andrew Arnott wrote:
From section 3.3 (draft 23):
If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using*a pre-defined default value*, or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).
Is this saying that the pre-defined default value must be a FIXED
value for all clients and all grants? Or might the predefined default
value actually be a derivation of the grant? (for example, by default
the access token scope is simply the maximum scope allowed by the grant)
Thanks.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - S. G. Tallentyre
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
