Hi Robert, The text in the Yahoo documentation is not factually correct - however it doesn't really matter for client developers who are calling our OAuth protected services.
We currently do not allow developers to change the scopes for their consumer keys after we've issued them. The slang that we use within Yahoo is that the set of scopes is "baked" into the consumer key, which probably inspired our doc writer to write that the scopes are embedded within the consumer key. The actual implementation is that we record the scopes available to the consumer key in a database, and we query the database before showing the OAuth Approval screen to the user. The scopes are not encrypted inside the consumer key. It is technically possible for a yahoo consumer key to have its scopes changed after it's been issued, however we do not currently allow it. We do however, embed the scopes inside the access token. Since Yahoo Access Tokens expire, but consumer keys do not, it's technically possible for a user to authorize additional scopes for an application, as long as the consumer gets a new Access Token after the scopes have been changed. This is essentially the flow that George Fletcher mentioned previously. We have received feedback from developers that they would like the ability to request additional scopes for their consumer keys. For example, applications may want to initially request a minimum set of scopes to avoid overwhelming their new users by asking for all possible scopes. Over time, the application can ask for additional scopes when needed. Another example is that applications are upgraded over time, and newer versions of the app may want to use additional scopes as they are upgraded. Hope that helps, Allen Robert Winch wrote: > > The one thing that I am still wondering about is the question that I > worded poorly. Let me try to rephrase. I noticed that the Yahoo > documentation states "the scopes (permissions) are embedded within the > Consumer Key and cannot be changed. If you change the scopes for a > particular application, Yahoo! issues a new Consumer Key." [1]. I was > thinking it would make more sense to embed scopes in the AccessToken > (as you have stated). This allows consumers to make requests to > numerous different sets of resources without needing to have a > different consumer key generated. The reason why I ask this is to > ensure that I have not overlooked something. Are there problems (i.e. > security concerns) with putting scopes in the Access Token? Perhaps I > misunderstood the documentation and the scopes are actually in the > Access Token (this appears likely from the way I am understanding your > response). > > Thanks again for your help, > Rob > > [1] http://developer.yahoo.com/oauth/guide/oauth-auth-flow.html > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
