On 24 Feb 2012, at 01:02, Wenjie Lin wrote: > As we have shown in our Feb 17th email, the negative consequence is a > violation by the user of the service agreement, that is, the user is able to > play the game but the client cannot post messages on behalf of the user.
That's not a negative within the context of the OAuth protocol, which protects the users interests, not the clients. It looks as though with the current wording, it's basically not possible to be compliant (very mildly) in this scenario. But as John Bradley pointed out, it's completely legitimate for a client to give the "game" full permissions, and then edit the scope afterwards (though I can't find an explicit reference in the draft, I expect it to be covered by one of the "This is out of scope" or revocation clauses). Implementations that want to allow clients to enforce the scope contract with the user could always just implement a method to get the actual scope back (like facebook), but it's not an attack against the protocol or user.. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
