We are having a bit of a philosophical discussion regarding the requirement for data to exist as a requirement for an OAuth 2.0 access token to be granted and I'd like to get the opinions of the IETF Oauth WG.
The two points of view are: . There are no requirements in "The OAuth 2.0 Framework" [RFC6749] specification that requires data to exist prior to an access token being granted and therefore the requirement that data exist should NOT be a consideration for granting or denying an access token request, as long as all of the other requirements for granting of an access token are met. . There are many potential applications that are a one-shot access request. These would be confused if they receive an access token allowing them to access information that does NOT exist. A potential solution that might meet both requirements is to add a SCOPE parameter the client MAY provide indicating an access token should only be issued if data does exist. The default would be that absent the SCOPE parameter the Authorization Server would issue an approved access token regardless of the existence or absence of data at the time of the request. I'd like to hear what the WG feels is a best practice solution to resolve our existing implementation conflict. Best regards, Don Donald F. Coffin Founder/CTO REMI Networks 22751 El Prado Suite 6216 Rancho Santa Margarita, CA 92688-3836 Phone: (949) 636-8571 Email: donald.cof...@reminetworks.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
