A feature I'd also like to have as a consumer is the reverse operation - starting with a broad scope for initial setup, then narrowing scope before storing my secret anywhere other than local memory.
On Friday, October 16, 2009, Allen Tom <[email protected]> wrote: > > Hi Robert, > > The text in the Yahoo documentation is not factually correct - however > it doesn't really matter for client developers who are calling our OAuth > protected services. > > We currently do not allow developers to change the scopes for their > consumer keys after we've issued them. The slang that we use within > Yahoo is that the set of scopes is "baked" into the consumer key, which > probably inspired our doc writer to write that the scopes are embedded > within the consumer key. > > The actual implementation is that we record the scopes available to the > consumer key in a database, and we query the database before showing the > OAuth Approval screen to the user. The scopes are not encrypted inside > the consumer key. It is technically possible for a yahoo consumer key to > have its scopes changed after it's been issued, however we do not > currently allow it. > > We do however, embed the scopes inside the access token. Since Yahoo > Access Tokens expire, but consumer keys do not, it's technically > possible for a user to authorize additional scopes for an application, > as long as the consumer gets a new Access Token after the scopes have > been changed. This is essentially the flow that George Fletcher > mentioned previously. > > We have received feedback from developers that they would like the > ability to request additional scopes for their consumer keys. For > example, applications may want to initially request a minimum set of > scopes to avoid overwhelming their new users by asking for all possible > scopes. Over time, the application can ask for additional scopes when > needed. Another example is that applications are upgraded over time, and > newer versions of the app may want to use additional scopes as they are > upgraded. > > Hope that helps, > Allen > > Robert Winch wrote: >> >> The one thing that I am still wondering about is the question that I >> worded poorly. Let me try to rephrase. I noticed that the Yahoo >> documentation states "the scopes (permissions) are embedded within the >> Consumer Key and cannot be changed. If you change the scopes for a >> particular application, Yahoo! issues a new Consumer Key." [1]. I was >> thinking it would make more sense to embed scopes in the AccessToken >> (as you have stated). This allows consumers to make requests to >> numerous different sets of resources without needing to have a >> different consumer key generated. The reason why I ask this is to >> ensure that I have not overlooked something. Are there problems (i.e. >> security concerns) with putting scopes in the Access Token? Perhaps I >> misunderstood the documentation and the scopes are actually in the >> Access Token (this appears likely from the way I am understanding your >> response). >> >> Thanks again for your help, >> Rob >> >> [1] http://developer.yahoo.com/oauth/guide/oauth-auth-flow.html >> > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
