As Eran pointed out, the way you've formatted your scope request,
you've only specified one scope and I'd guess to keep things simple
and consistent can either be approved or denied. I don't have a spec
reference about what happens when the user doesn't approve but I
assume the response is sent to
-1 to separate parameters. I'd imagine every provider has the same
issues as the ones you point out, however I don't think we should take
another step toward complexity in this area. We've all managed to
squeeze our resource access control semantics down into a single value
and it usually requires
Hi Phil,
I actually think this rephrasing of the rule of thumb is not really
helpful based on how the word "legs" has been used in my experience of
discussing and teaching OAuth. I actually tried to be pretty explicit
about this topic in a talk I did at Google I/O last year because we
have lots of
