Actually, section 5.1 is quite specifically how it's returned, and the
intent of the cross-reference to 3.3 is that they use the same format: a
space-separated list presented as a single JSON string. The grammar in
section A.4 applies to both.
-- Justin
On 12/04/2013 02:37 PM, Lewis Adam-CAL022 wrote:
I believe the question was asking about how the scope is returned in
the access token. Section 5.1/3.3 are really describing how the scope
is **requested**
Andreas .... The answer to your question is that it is out of scope
for the OAuth RFC. OAuth does not define the structure of the access
token, so it will be implementation specific. Many implementations
pass an unstructured access token which is sent back to the AS for
introspection, and returned a JSON set of claims including the scope.
Others use JWT-structured access tokens. Do you have a specific
implementation that you are asking about, or was it simply a generic
question?
adam
*From:*OAuth [mailto:[email protected]] *On Behalf Of *Thomas Broyer
*Sent:* Tuesday, December 03, 2013 6:43 AM
*To:* Andreas Kohn
*Cc:* <[email protected]>
*Subject:* Re: [OAUTH-WG] Scopes in access token response
Le 3 déc. 2013 12:56, "Andreas Kohn" <[email protected]
<mailto:[email protected]>> a écrit :
>
> Hi,
>
> the current RFC for OAuth 2.0
(http://www.rfc-editor.org/rfc/rfc6749.txt) is very unclear on *how*
to return the scope in the access token response if there are multiple
scopes requested/returned.
I think it's very clear, on the opposite. Section 5.1 defers to
section 3.3 which says very clearly that the value is a
space-delimited list.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
