On 04/02/2010 06:07 AM, Luke Shepard wrote:
On Apr 1, 2010, at 6:59 PM, Peter Saint-Andre wrote:
If that's true, then how does the Authorization Server know what scope
is appropriate at the Protected Resource? Does inclusion of the scope
parameter require a 1:1 mapping between AS and PR, or at least
communication between AS and PR?
My preferred way of handling this is to have the Protected Resource throw a 403 Forbidden
error, with an error message that specifies the scope needed - e.g.,
"oauth_scope_required=photo_read".
Here is a bit of Kerberos-lore: it is sometimes important to
protect your error messages too!
When you pass critical parameters ("you need this scope for
access"), the error message suddenly becomes something
you may have to protect.
Cheers Leif
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
