IMO the scenario as documented doesn't make complete sense in the context of OAuth 2.0 as it says that Bob uses the access token to access Alice's photos. Clients in OAuth 2.0 are not people, they are programs.
From: David Fox <da...@davidjfox.com> To: "'OAuth WG'" <oauth@ietf.org> Date: 12/03/2012 12:15 PM Subject: [OAUTH-WG] Issue token for another user Sent by: oauth-boun...@ietf.org http://tools.ietf.org/html/draft-zeltsan-oauth-use-cases-02#section-3.8 In order to achieve the use case above, how would the client (a.k.a the resource owner in this case) specify which user to authorize? Would the correct approach be to make a request to the Authorization Server with the grant type set to "client_credentials" and set the scope to user=user_id (where user_id would be the identifier for the user Bob)? -David _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
