On 4/1/10 8:13 PM, "Peter Saint-Andre" <[email protected]> wrote:
> On 4/1/10 8:21 PM, Allen Tom wrote:
>> The way we do this at Yahoo is that the developer must indicate what scopes
>> they want to access when registering for a client_identifier/secret.
>>
>> Although we've done it this way for several years, we've gotten plenty of
>> feedback that client developers want the flexibility to specify the scopes
>> at user authorization time.
>
> OK, so the scope is something that the [developer of a] Client
> establishes beforehand with the Authorization Service. But that still
> doesn't tell us what a scope is. Does someone have a definition?
There isn't one - its service specific.
The easy ones are:
Duration
List of protected resources, URI wildcard, or name of protected segment
Read/write access or HTTP methods
3 years ago when we dropped the scope/token_attributes parameter from the
spec we decided to bring it back when we have enough deployment experience.
I strongly believe this rule still holds.
It would be great if those with OAuth 1.0a deployments can share how they
specify scope.
EHL
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
