On Fri, Aug 10, 2018 at 2:35 AM Denis <denis.i...@free.fr> wrote: > Hi William, > > The draft states: > > The goal of incremental authorization is to enhance end-user privacy > by allowing clients to request only the authorization scopes needed > in the context of a particular user action, rather than asking for > ever possible scope upfront. > > Removing the requirement to request every possible scope that might be > needed upfront would indeed be a nice feature. > > Authorization scopes will thus be used in the context of a particular > action. >
That implies that an authorization request is made on each action. In many use cases that is not true. Access is needed asynchronously. > Servers should determine whether the authorization scope > matches with a particular action. However, the principle of minimum > attributes should be used: only the authorization scope needed > to perform the particular action should be requested and then sent. In > other words, authorization scopes should not be incremental. > Your use case of on-demand authorization is different from the incremental authorization use case. The incremental use case is where trust is being built between the user and the client. Initially, the user only provides a little authorization. As trust builds and the user would like more functionality, the app can ask for additional scopes to provide more functionality to the user. /Dick
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
