> > (looking at v31 of the draft [1]) > > In "Authorization Code Grant" (section 4.1), when the ResourceOwner > authorizes a `scope` that differs from the `scope` the Client requested,
> how does the Client find out the modified scope value? The scope is sent in the access token. > > "Implicit Grant" addresses this by including a `scope` parameter in the > Authorization Token Response (4.2.2). So this is not a problem for the > Implicit grant type. Implicit grant is different from authorization request in "authorization code grant", the former is for access token, the latter is for authorization code which is exchanged further for access token > > But "Authorization Code Grant" defines no such parameter for its > Authorization Response (4.1.2). Also, nothing equivalent in the > subsequent Access Token Response (4.1.4). There is scope included in seciotn 5.1. > > > I'm new to the list, so if this has been discussed previously, or if > I'm missing something obvious, please just point me in the right > direction. > > Otherwise, I would propose the addition of `scope` as a response > parameter in 4.1.2 (Authorization Response), for the purpose of > communicating, to the Client, the actual granted scope value, which > could be different from the requested scope value. It should behave > the same as the `scope` response parameter defined for the Implicit > Grant's "Access Token Response" in section 4.2.2. > > -Lee > > > [1]: http://tools.ietf.org/html/draft-ietf-oauth-v2-31 > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
