Allen & George, Thank you for the additional information. It has helped me to feel more comfortable with my understanding of the specification and some of the decisions I need to make when implementing it.
Regards, Rob On Fri, Oct 16, 2009 at 10:48 PM, Allen Tom <[email protected]> wrote: > > Hi Robert, > > The text in the Yahoo documentation is not factually correct - however > it doesn't really matter for client developers who are calling our OAuth > protected services. > > We currently do not allow developers to change the scopes for their > consumer keys after we've issued them. The slang that we use within > Yahoo is that the set of scopes is "baked" into the consumer key, which > probably inspired our doc writer to write that the scopes are embedded > within the consumer key. > > The actual implementation is that we record the scopes available to the > consumer key in a database, and we query the database before showing the > OAuth Approval screen to the user. The scopes are not encrypted inside > the consumer key. It is technically possible for a yahoo consumer key to > have its scopes changed after it's been issued, however we do not > currently allow it. > > We do however, embed the scopes inside the access token. Since Yahoo > Access Tokens expire, but consumer keys do not, it's technically > possible for a user to authorize additional scopes for an application, > as long as the consumer gets a new Access Token after the scopes have > been changed. This is essentially the flow that George Fletcher > mentioned previously. > > We have received feedback from developers that they would like the > ability to request additional scopes for their consumer keys. For > example, applications may want to initially request a minimum set of > scopes to avoid overwhelming their new users by asking for all possible > scopes. Over time, the application can ask for additional scopes when > needed. Another example is that applications are upgraded over time, and > newer versions of the app may want to use additional scopes as they are > upgraded. > > Hope that helps, > Allen > > Robert Winch wrote: > > > > The one thing that I am still wondering about is the question that I > > worded poorly. Let me try to rephrase. I noticed that the Yahoo > > documentation states "the scopes (permissions) are embedded within the > > Consumer Key and cannot be changed. If you change the scopes for a > > particular application, Yahoo! issues a new Consumer Key." [1]. I was > > thinking it would make more sense to embed scopes in the AccessToken > > (as you have stated). This allows consumers to make requests to > > numerous different sets of resources without needing to have a > > different consumer key generated. The reason why I ask this is to > > ensure that I have not overlooked something. Are there problems (i.e. > > security concerns) with putting scopes in the Access Token? Perhaps I > > misunderstood the documentation and the scopes are actually in the > > Access Token (this appears likely from the way I am understanding your > > response). > > > > Thanks again for your help, > > Rob > > > > [1] http://developer.yahoo.com/oauth/guide/oauth-auth-flow.html > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
