I agree, "limited access" makes sense. I am happy to create a PR, if required.
Current wording is: The OAuth 2.1 authorization framework enables a*n* *third-party* application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the *third-party* application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749 <https://tools.ietf.org/html/rfc6749>. On Thu, Sep 3, 2020 at 12:33 AM Jeff Craig <jeffcraig= [email protected]> wrote: > On Wed, Sep 2, 2020 at 8:53 AM Torsten Lodderstedt <torsten= > [email protected]> wrote: > >> > On 2. Sep 2020, at 05:58, William Denniss <wdenniss= >> [email protected]> wrote: >> > On the subject, in first party cases the access may not be all that >> "limited", I wonder if it should read more genericly "an application to >> obtain access to an HTTP service"? >> >> I suggest to stick with “limited” since privilege restriction is always a >> good idea. >> > > I'm inclined to agree, scopes are a key part of the OAuth model, and while > nothing precludes a "full account access" scope, I do think that the idea > of privilege restriction is worth infusing the document with. > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
