We are working with one of our users on the support for pre-authorized
tokens which can be checked by AS at the initial end user redirection to
this AS before requesting the end-user authorization.
My assumption is that if the pre-authorized token exists then the client
provided scope, if any, is basically ignored, because the end user has
already pre-authorized a given client with a specific token which will
have a scope set as requested by the end user at the pre-authorization time.
Is that right ? IMHO yes and the best AS can do in this case is simply
log what scope the client is actually requesting but reply with the
token containing the pre-authorized scope, please correct me if not
thanks, Sergey
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
