I believe the question was asking about how the scope is returned in the access token. Section 5.1/3.3 are really describing how the scope is *requested*
Andreas …. The answer to your question is that it is out of scope for the OAuth RFC. OAuth does not define the structure of the access token, so it will be implementation specific. Many implementations pass an unstructured access token which is sent back to the AS for introspection, and returned a JSON set of claims including the scope. Others use JWT-structured access tokens. Do you have a specific implementation that you are asking about, or was it simply a generic question? adam From: OAuth [mailto:[email protected]] On Behalf Of Thomas Broyer Sent: Tuesday, December 03, 2013 6:43 AM To: Andreas Kohn Cc: <[email protected]> Subject: Re: [OAUTH-WG] Scopes in access token response Le 3 déc. 2013 12:56, "Andreas Kohn" <[email protected]<mailto:[email protected]>> a écrit : > > Hi, > > the current RFC for OAuth 2.0 (http://www.rfc-editor.org/rfc/rfc6749.txt) is > very unclear on *how* to return the scope in the access token response if > there are multiple scopes requested/returned. I think it's very clear, on the opposite. Section 5.1 defers to section 3.3 which says very clearly that the value is a space-delimited list.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
