Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification

Eran Hammer <> Mon, 09 January 2012 16:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 32E5D21F8516 for <>; Mon, 9 Jan 2012 08:05:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.568
X-Spam-Status: No, score=-2.568 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BS5OpVpZr1vb for <>; Mon, 9 Jan 2012 08:05:03 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 56C0611E8072 for <>; Mon, 9 Jan 2012 08:05:03 -0800 (PST)
Received: (qmail 12445 invoked from network); 9 Jan 2012 16:05:02 -0000
Received: from unknown (HELO ( by with SMTP; 9 Jan 2012 16:05:02 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([]) by P3PW5EX1HT005.EX1.SECURESERVER.NET ([]) with mapi; Mon, 9 Jan 2012 09:04:51 -0700
From: Eran Hammer <>
To: agks mehx <>, "" <>
Date: Mon, 09 Jan 2012 09:04:35 -0700
Thread-Topic: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification
Thread-Index: AczOUskvVDrfg5X0SKe4DupMHiv9+wAlRqSA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453A72D0CF1@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723453A72D0CF1P3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Jan 2012 16:05:05 -0000

In general, you are correct. However in this case, since OAuth 2.0 does not attempt to guarantee interop between a generic client and any vendor, the vendor has the right to define its own requirements as long as they are within the spec boundaries.

For example, a vendor can define a missing or empty scope to mean no scope and reject the request. That's allowed since the definition of scope is left for the vendor to define.

Personally, I would not write a server implementation with this behavior and instead define a default scope that's sufficient in most cases.


From: [] On Behalf Of agks mehx
Sent: Sunday, January 08, 2012 2:13 PM
Subject: [OAUTH-WG] Seeking Clarification: Potential Ambiguity in Specification

My client implementation per latest draft did not work against a major vendor's server implementation.

This was because the vendor REQUIRES the scope parameter in the initial request.  If I do not supply the scope parameter, it calls back the URL with an error response stating that the request is invalid:


I reported this to the vendor and the vendor claims that the IETF draft specification says scope is OPTIONAL and that means the vendor is free to make it required in a conforming implementation.

After a careful reading of the relevant sections of the draft specification, I do not believe that is what is the intent of the specification.  It says "OPTIONAL" is to be interpreted per RFC2119, which in turn says: "an implementation which does include a particular option MUST be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.)"

This leads me to believe that if I do not supply scope I should not get an error -- I may not be able to perform any API calls but I should get a token back that proves to me that the user was *some* user at the vendor.

Could you please clarify or disambiguate?