On 04/12/12 22:24, Sergey Beryozkin wrote:
We are working with one of our users on the support for pre-authorized
tokens which can be checked by AS at the initial end user redirection to
this AS before requesting the end-user authorization.
My assumption is that if the pre-authorized token exists then the client
provided scope, if any, is basically ignored, because the end user has
already pre-authorized a given client with a specific token which will
have a scope set as requested by the end user at the pre-authorization
time.
Is that right ? IMHO yes and the best AS can do in this case is simply
log what scope the client is actually requesting but reply with the
token containing the pre-authorized scope, please correct me if not
We've decided to treat this case similarly to the client-driven
down-scoping request with the help of the refresh grant...
thanks, Sergey
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
