It's not that explicit. I'll fix it. EHL
> -----Original Message----- > From: Subbu Allamaraju [mailto:[email protected]] > Sent: Monday, November 29, 2010 12:44 PM > To: Eran Hammer-Lahav > Cc: Anton Panasenko; [email protected] > Subject: Re: [OAUTH-WG] OAuth 2.0 server behavior > > Could you point which part of the spec specifies this (am looking at draft > 10)? > In any case, I would expect the auth server to include the scopes granted in > the access token response to avoid any ambiguity. > > On Nov 29, 2010, at 8:40 AM, Eran Hammer-Lahav wrote: > > > #2. Asking for scope on the access token call can only reduce the already > approved scope. > > > > EHL > > > > From: [email protected] [mailto:[email protected]] On Behalf > Of Anton Panasenko > > Sent: Friday, November 26, 2010 10:54 AM > > To: [email protected] > > Subject: [OAUTH-WG] OAuth 2.0 server behavior > > > > Hi, > > > > What behavior is expected from the server, if in the query on access_token > without "scope" > (grant_type=authorization_code&client_id=s6BhdRkqt3&client_secret=gX1f > Bat3bV&code=i1WsRn1uB1&redirect_uri=https%3A%2F%2Fclient%2Eexampl > e%2Ecom%2Fc)? > > > > 1. The server must generate access_token for an empty scope. > > 2. The server must generate access_token for scope, which was approved > for access_code. > > > > -- > > Sincerely yours > > Anton Panasenko > > Skype: anton.panasenko > > Phone: +79179838291 > > Email: [email protected], [email protected] > > > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
