>From section 3.3 (draft 23): > If the client omits the scope parameter when requesting authorization, the > authorization server MUST either process the request using* a pre-defined > default value*, or fail the request indicating an invalid scope. The > authorization server SHOULD document its scope requirements and default > value (if defined).
Is this saying that the pre-defined default value must be a FIXED value for all clients and all grants? Or might the predefined default value actually be a derivation of the grant? (for example, by default the access token scope is simply the maximum scope allowed by the grant) Thanks. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
