Could you point which part of the spec specifies this (am looking at draft 10)? In any case, I would expect the auth server to include the scopes granted in the access token response to avoid any ambiguity.
On Nov 29, 2010, at 8:40 AM, Eran Hammer-Lahav wrote: > #2. Asking for scope on the access token call can only reduce the already > approved scope. > > EHL > > From: [email protected] [mailto:[email protected]] On Behalf Of > Anton Panasenko > Sent: Friday, November 26, 2010 10:54 AM > To: [email protected] > Subject: [OAUTH-WG] OAuth 2.0 server behavior > > Hi, > > What behavior is expected from the server, if in the query on access_token > without "scope" > (grant_type=authorization_code&client_id=s6BhdRkqt3&client_secret=gX1fBat3bV&code=i1WsRn1uB1&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fc)? > > 1. The server must generate access_token for an empty scope. > 2. The server must generate access_token for scope, which was approved for > access_code. > > -- > Sincerely yours > Anton Panasenko > Skype: anton.panasenko > Phone: +79179838291 > Email: [email protected], [email protected] > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
