Re: [OAUTH-WG] invalid_scope in access token request

Thanks, the refresh grant was the case I was missing. Aaron Parecki aaronparecki.com @aaronpk On Tue, Jul 7, 2015 at 8:13 AM, John Bradley wrote: > In sec 6 you can send scope to down scope a refresh token. > > In that case if the client asks for a scope that

Re: [OAUTH-WG] invalid_scope in access token request

In sec 6 you can send scope to down scope a refresh token. In that case if the client asks for a scope that was not part of the original code grant then you would return invalid_scope. It is not an error in the spec. Regards John B. > On Jul 7, 2015, at 11:42 AM, Aaron Parecki wrote: > > Se

Re: [OAUTH-WG] invalid_scope in access token request

Section 4.1.1 describes the parameters of the *authorization* request, not the token request. After the user approves the scope in the authorization request, the client exchanges the code for the access token. I'm talking about the token request, where there is no scope parameter listed, section 4.

Re: [OAUTH-WG] invalid_scope in access token request

hi Aaron On Jul 7, 2015, at 6:23 AM, Aaron Parecki mailto:aa...@parecki.com>> wrote: Section 5.2 lists the possible errors the authorization server can return for an access token request. In the list is "invalid_scope", which as I understand it, can only be returned for a "password" or "client

[OAUTH-WG] invalid_scope in access token request

Section 5.2 lists the possible errors the authorization server can return for an access token request. In the list is "invalid_scope", which as I understand it, can only be returned for a "password" or "client_credentials" grant, since scope is not a parameter of an "authorization_code" grant. Bec