> On 7/26/11 9:56 AM, "Casey Lucas" <[email protected]> wrote:
> 2. Section 6 Refreshing an Access Token seems to conflict with itself
> concerning token scope:
>
> "The requested scope MUST be equal or lesser than the scope originally
> granted by the resource owner, and if omitted is treated as equal to the
> scope originally granted by the resource owner."
>
>
> Yet the last sentence in that section states:
>
> "If a new refresh token is issued, its scope MUST be identical to that of the
> refresh token included in the request."
The identical scope is only for the refresh token, not the access token being
refreshed. Clarified:
If a new refresh token is issued, the refresh token scope MUST be
identical to that of the
refresh token included by the client in the request.
EHL
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
