Per Sec 3.3 and Appendix A.4 scope is a space SP separated list of scope-token which are 1*NQCHAR
So query encoded it looks like &scope=openid%20profile%20email (you would be
sending it in a POST form encoded to the token endpoint in your case)
and the response will be JSON:
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"scope":"openid profile email"
}
Yes the examples probably should have included scope but it is clear from the
normative text.
John B.
On Dec 3, 2013, at 8:55 AM, Andreas Kohn <[email protected]> wrote:
> Hi,
>
> the current RFC for OAuth 2.0 (http://www.rfc-editor.org/rfc/rfc6749.txt) is
> very unclear on *how* to return the scope in the access token response if
> there are multiple scopes requested/returned.
>
> Could someone please clarify whether the scopes are supposed to be returned
> as
> 1. space separated string value (i.e. in the same syntax in which they came
> in), or
> 2. as JSON array (looks most "JSON-y"), or
> 3. in another format (for example github uses ',')
>
> There is a related question on stackoverflow:
> http://stackoverflow.com/questions/13290994/how-should-approved-scopes-be-returned-from-an-oauth2-0
>
>
> Regards,
> --
> Andreas
>
>
>
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
