I stand corrected. Thanks Justin :-) And of course that makes perfect sense since the AT is typically opaque to the client, yet the client would need to know if it obtained the requested scope.
From: Justin Richer [mailto:[email protected]] Sent: Wednesday, December 04, 2013 1:49 PM To: Lewis Adam-CAL022; Thomas Broyer; Andreas Kohn Cc: <[email protected]> Subject: Re: [OAUTH-WG] Scopes in access token response Actually, section 5.1 is quite specifically how it's returned, and the intent of the cross-reference to 3.3 is that they use the same format: a space-separated list presented as a single JSON string. The grammar in section A.4 applies to both. -- Justin On 12/04/2013 02:37 PM, Lewis Adam-CAL022 wrote: I believe the question was asking about how the scope is returned in the access token. Section 5.1/3.3 are really describing how the scope is *requested* Andreas .... The answer to your question is that it is out of scope for the OAuth RFC. OAuth does not define the structure of the access token, so it will be implementation specific. Many implementations pass an unstructured access token which is sent back to the AS for introspection, and returned a JSON set of claims including the scope. Others use JWT-structured access tokens. Do you have a specific implementation that you are asking about, or was it simply a generic question? adam From: OAuth [mailto:[email protected]] On Behalf Of Thomas Broyer Sent: Tuesday, December 03, 2013 6:43 AM To: Andreas Kohn Cc: <[email protected]><mailto:[email protected]> Subject: Re: [OAUTH-WG] Scopes in access token response Le 3 déc. 2013 12:56, "Andreas Kohn" <[email protected]<mailto:[email protected]>> a écrit : > > Hi, > > the current RFC for OAuth 2.0 (http://www.rfc-editor.org/rfc/rfc6749.txt) is > very unclear on *how* to return the scope in the access token response if > there are multiple scopes requested/returned. I think it's very clear, on the opposite. Section 5.1 defers to section 3.3 which says very clearly that the value is a space-delimited list. _______________________________________________ OAuth mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
