(looking at v31 of the draft [1]) In "Authorization Code Grant" (section 4.1), when the ResourceOwner authorizes a `scope` that differs from the `scope` the Client requested, how does the Client find out the modified scope value?
"Implicit Grant" addresses this by including a `scope` parameter in the Authorization Token Response (4.2.2). So this is not a problem for the Implicit grant type. But "Authorization Code Grant" defines no such parameter for its Authorization Response (4.1.2). Also, nothing equivalent in the subsequent Access Token Response (4.1.4). I'm new to the list, so if this has been discussed previously, or if I'm missing something obvious, please just point me in the right direction. Otherwise, I would propose the addition of `scope` as a response parameter in 4.1.2 (Authorization Response), for the purpose of communicating, to the Client, the actual granted scope value, which could be different from the requested scope value. It should behave the same as the `scope` response parameter defined for the Implicit Grant's "Access Token Response" in section 4.2.2. -Lee [1]: http://tools.ietf.org/html/draft-ietf-oauth-v2-31 _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
