When the API is standardized, it makes sense for the scope parameter to be standardized. If the API is unique to the PR, then the scope will also be unique. There may be concepts that are similar across unique APIs, but there will be nuances that are important to be aware of.
To answer your question about where the scope parameter come from, documentation for the API. -- Dick On 2010-06-24, at 3:58 AM, Tschofenig, Hannes (NSN - FI/Espoo) wrote: > The question is whether one would ever want to have a standardized semantic > for the scope parameter. > If the answer to that question is "no" then it does not matter what the > format is. It can well be a list of space-delimited strings (as it is > currently defined). > > An evironment specific semantic works well in cases where entity X sets the > value and later it receives the value again. Only entity X needs to > understand what it means. > > In some environments the use case is slightly different, namely entity X and > entity Y are from the same organization and agree on the semantic. Usage of > OAuth within an enterprise might be such a case. > > Now, the usage of the scope parameter is, however, a bit different in the > spec. Section 4, for example, describes how a client obtains an access token. > How does the client know what scope parameters to set and what the semantic > is? > > Ciao > Hannes > >> -----Original Message----- >> From: ext Lukas Rosenstock [mailto:l...@lukasrosenstock.net] >> Sent: Thursday, June 24, 2010 10:49 AM >> To: Dick Hardt >> Cc: Tschofenig, Hannes (NSN - FI/Espoo); OAuth WG >> Subject: Re: [OAUTH-WG] Scope :: Was: Extensibility for OAuth? >> >> Wasn't there some concensus that URIs would be good for scope? They >> have "in-built namespacing" ... >> >> Lukas >> >> 2010/6/23 Dick Hardt <dick.ha...@gmail.com>: >>> >>> On 2010-06-22, at 11:07 PM, Tschofenig, Hannes (NSN - >> FI/Espoo) wrote: >>> >>>> " >>>> scope >>>> OPTIONAL. The scope of the access request >> expressed as a list >>>> of space-delimited strings. The value of the >> "scope" parameter >>>> is defined by the authorization server. If the >> value contains >>>> multiple space-delimited strings, their order does >> not matter, >>>> and each string adds an additional access range to the >>>> requested scope. >>>> " >>>> >>>> Do folks think it would be useful to have standardized values? >>> >>> Not at this time. The semantics of scope are all over the >> place. If standardized, people will feel they need to pick >> one that is close to what they want, but is not exactly what >> they mean. I think it is better for the AS to define what >> they mean by a scope and give it a name that makes sense in >> that context. >>> >>>> >>>> If the answer is "yes", then it would be useful to >> differentiate the >>>> standardized values from those values that are purely >> defined locally by >>>> the authorization server. >> _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
