Re: [OAUTH-WG] Clarification on section 3.3: missing scope parameter in access token request

John Bradley <> Mon, 13 February 2012 16:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1C1AF21F854B for <>; Mon, 13 Feb 2012 08:33:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.444
X-Spam-Status: No, score=-3.444 tagged_above=-999 required=5 tests=[AWL=0.154, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jGx5jPfrFnhM for <>; Mon, 13 Feb 2012 08:33:12 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 4036221F8532 for <>; Mon, 13 Feb 2012 08:33:12 -0800 (PST)
Received: by ggnq2 with SMTP id q2so2819742ggn.31 for <>; Mon, 13 Feb 2012 08:33:11 -0800 (PST)
Received: by with SMTP id k48mr20829132yhj.37.1329150791674; Mon, 13 Feb 2012 08:33:11 -0800 (PST)
Received: from [] ( []) by with ESMTPS id i12sm37397152anm.6.2012. (version=TLSv1/SSLv3 cipher=OTHER); Mon, 13 Feb 2012 08:33:09 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_89E6C1E0-A835-4A0C-AB15-66DF34763180"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <>
In-Reply-To: <>
Date: Mon, 13 Feb 2012 13:33:02 -0300
Message-Id: <>
References: <> <>
To: Justin Richer <>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQmAj8KqlFmceR3u329M9siSR/8yG2aSNkQd7aQ662xlaU8ZJiVUjfwNIbarR7DADo7D70P9
Cc: "OAuth WG (" <>
Subject: Re: [OAUTH-WG] Clarification on section 3.3: missing scope parameter in access token request
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Feb 2012 16:33:13 -0000

It is a way of saying the AS doesn't need to return an error if scope is not included, though it has the option to return an error if it has no default scope.

However what the server may use as a default value us application specific.  e.g. the client may have registered a default scope or scopes, or a default is documented as part of some API.

I think the goal is that the behaviour of the AS is in some way predictable to the client, while leaving it to the individual API to define the behaviour of scopes including what to do if you don't get an explicit one in the request.

John B.
On 2012-02-13, at 1:13 PM, Justin Richer wrote:

> In most cases, it will likely be a fixed value, but there's nothing indicating that it can't be contextual. Especially in cases where you've got public, confidential, and dynamically-registered clients all acting on the same host, the default value will depend completely on what kind of client is asking.
> Really, this is a way of saying "scope is up to the AS", which it is, even if the client asks for something else.
>  -- Justin
> On 02/12/2012 11:44 PM, Andrew Arnott wrote:
>> From section 3.3 (draft 23):
>> If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value, or fail the request indicating an invalid scope. The authorization server SHOULD document its scope requirements and default value (if defined).
>> Is this saying that the pre-defined default value must be a FIXED value for all clients and all grants?  Or might the predefined default value actually be a derivation of the grant? (for example, by default the access token scope is simply the maximum scope allowed by the grant)
>> Thanks.
>> --
>> Andrew Arnott
>> "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
>> _______________________________________________
>> OAuth mailing list
> _______________________________________________
> OAuth mailing list