The text serves two purposes:
1. Warn client developers that the server may have a default scope and that they should figure out what it is or what the scope requirements are 2. Make server developers aware that they should publish their default scope of scope handling preferences. As for your question, the pre-defined default value can be anything, including context-sensitive. It can even be random, but either way, it should be documented. EH From: [email protected] [mailto:[email protected]] On Behalf Of Andrew Arnott Sent: Sunday, February 12, 2012 8:44 PM To: OAuth WG ([email protected]) Subject: [OAUTH-WG] Clarification on section 3.3: missing scope parameter in access token request >From section 3.3 (draft 23): If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value, or fail the request indicating an invalid scope. The authorization server SHOULD document its scope requirements and default value (if defined). Is this saying that the pre-defined default value must be a FIXED value for all clients and all grants? Or might the predefined default value actually be a derivation of the grant? (for example, by default the access token scope is simply the maximum scope allowed by the grant) Thanks. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
