Thanks, the refresh grant was the case I was missing. ---- Aaron Parecki aaronparecki.com @aaronpk <http://twitter.com/aaronpk>
On Tue, Jul 7, 2015 at 8:13 AM, John Bradley <[email protected]> wrote: > In sec 6 you can send scope to down scope a refresh token. > > In that case if the client asks for a scope that was not part of the > original code grant then you would return invalid_scope. > > It is not an error in the spec. > > Regards > John B. > > On Jul 7, 2015, at 11:42 AM, Aaron Parecki <[email protected]> wrote: > > Section 4.1.1 describes the parameters of the *authorization* request, not > the token request. After the user approves the scope in the authorization > request, the client exchanges the code for the access token. I'm talking > about the token request, where there is no scope parameter listed, section > 4.1.3 https://tools.ietf.org/html/rfc6749#section-4.1.3 > > ---- > Aaron Parecki > aaronparecki.com > @aaronpk <http://twitter.com/aaronpk> > > > On Tue, Jul 7, 2015 at 1:08 AM, Antonio Sanso <[email protected]> wrote: > >> hi Aaron >> >> On Jul 7, 2015, at 6:23 AM, Aaron Parecki <[email protected]> wrote: >> >> Section 5.2 lists the possible errors the authorization server can >> return for an access token request. In the list is "invalid_scope", which >> as I understand it, can only be returned for a "password" or >> "client_credentials" grant, since scope is not a parameter of an >> "authorization_code" grant. >> >> >> why not :) ? From https://tools.ietf.org/html/rfc6749#section-4.1.1 >> >> scope >> OPTIONAL. The scope of the access request as described by >> Section 3.3 <https://tools.ietf.org/html/rfc6749#section-3.3>. >> >> regards >> >> antonio >> >> >> Because of this, I believe the phrase "or exceeds the scope granted by >> the resource owner." is unnecessary, since there is no initial grant by the >> resource owner. Am I reading this correctly, or is there some situation I >> am not thinking of? Thanks! >> >> ---- >> Aaron Parecki >> aaronparecki.com >> @aaronpk <http://twitter.com/aaronpk> >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
