The scope of resources protected by an OAuth 1.x access token is out of the scope of the protocol. An SP is free to expose whatever user interface to the user to constrain what resources can be accessed using the token.
Paul -----Original Message----- From: Gerald <[email protected]> Reply-to: [email protected] To: OAuth <[email protected]> Subject: [oauth] Finer-grained access control in OAuth? Date: Sat, 20 Mar 2010 10:58:07 -0700 (PDT) Hi, all I have been following OAuth work for some time. Also I have developed some apps using OAuth. One problem I encountered often is granularity of access. In current spec, after a user accepts the access request from a third-party app, the app can access all of user's data in arbitrary way. It is helpful to allow users control 1) which portion of his/her data will be exposed to third-party apps 2) what operations are allowed (read? write? update? etc). I believe OAuth community must have considered this problem before. But it's not included in the spec. I wonder whether there has been serious discussions on this problem. Anyone can point me to some related resources/pages/threads? Thanks Gerald -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
