Some more OAuth2 queries (based on reading -13) * There's no direct indication of expected behaviour after a failed attempt to refresh a token. Since a refresh_token workflow is an example of issuing an access token, should I read the error behaviour describe in 5.2 as applying to section 6 as well?
* Can I read throughout the spec, that wherever scope is an OPTIONAL parameter, I can read a request with an absent scope parameter as being equivalent to a request with a scope="" (empty string) parameter? * In 4.2.2 (implicit grant, response from the auth server), the response includes an OPTIONAL scope parameter, whose definition includes " The authorization server SHOULD include the parameter if the requested scope is different from the one requested by the client." I'm not quite sure I'm reading this correctly, but I think that implies that if the client requests scope A, the server can actually grant scope B. - is it required/suggested that scope B be a subset of scope A? - is it true of any other workflows that a client requesting one scope can actually be granted another scope? Thanks, Toby -- http://timetric.com 2nd Floor, White Bear Yard, 144a Clerkenwell Road, London EC1R 5DF phone: +44 20 3286 0677 (office), +44 7747 603618 (mobile) twitter: @timetric, @tow21 | skype: tobyohwhite _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
