The way we do this at Yahoo is that the developer must indicate what scopes they want to access when registering for a client_identifier/secret.
Although we've done it this way for several years, we've gotten plenty of feedback that client developers want the flexibility to specify the scopes at user authorization time. Allen On 4/1/10 6:59 PM, "Peter Saint-Andre" <[email protected]> wrote: > > > If that's true, then how does the Authorization Server know what scope > is appropriate at the Protected Resource? Does inclusion of the scope > parameter require a 1:1 mapping between AS and PR, or at least > communication between AS and PR? > > Peter _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
