Sending to the list for proper archiving. EHL
-----Original Message----- From: Casey Lucas [mailto:[email protected]] Sent: Wednesday, July 27, 2011 8:05 AM To: Eran Hammer-Lahav Subject: FW: couple minor spec issues Eran, I tried to send this to the oauth list yesterday but it didn't get through. I'm not sure what the problem was but wanted to relay the information in case you found it helpful. Thanks, -casey On 7/26/11 9:56 AM, "Casey Lucas" <[email protected]> wrote: Thank you all for the oauth2 related work. While evaluating the applicability of oauth for some of my company's problems I noticed what appear to be a couple of minor issues with the spec (version 20): 1. Section 4.1.3 Access Token Request is missing the word "request": "For example, the client makes the following HTTP using transport-layer security (extra line breaks are for display purposes only)" Likely it should be: For example, the client makes the following HTTP _request_ using transport-layer security (extra line breaks are for display purposes only) 2. Section 6 Refreshing an Access Token seems to conflict with itself concerning token scope: "The requested scope MUST be equal or lesser than the scope originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner." Yet the last sentence in that section states: "If a new refresh token is issued, its scope MUST be identical to that of the refresh token included in the request." Should't it be the lesser of the original refresh_token's scope and the newly requested scope? Since the scope parameter is either passed or implied, should that last sentence be something like: If a new refresh token is issued, its scope MUST be identical to the passed or implied scope parameter. For reference, the scope parameter description is currently: OPTIONAL. The scope of the access request expressed as a list of space-delimited, case sensitive strings. The value is defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope. The requested scope MUST be equal or lesser than the scope originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner. -casey _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
