[OAUTH-WG] invalid_scope in access token request

Aaron Parecki <aaron@parecki.com> Tue, 07 July 2015 04:23 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F11441A1AC1 for <oauth@ietfa.amsl.com>; Mon, 6 Jul 2015 21:23:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i4ZaYWTVX6oY for <oauth@ietfa.amsl.com>; Mon, 6 Jul 2015 21:23:17 -0700 (PDT)
Received: from mail-ig0-f175.google.com (mail-ig0-f175.google.com [209.85.213.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E9381A8795 for <oauth@ietf.org>; Mon, 6 Jul 2015 21:23:17 -0700 (PDT)
Received: by igcsj18 with SMTP id sj18so251872475igc.1 for <oauth@ietf.org>; Mon, 06 Jul 2015 21:23:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=j07q7W/U2rWsC/WY05OyIq/Bzye8izrS8uNbeumXm1Y=; b=J3fBMHPKeMKKDWevxsc93XwQSznlL39mt+Hl7hwClYv36lKFu9UTmCGoXPjErmx1x1 ro4I/JiTJE00tgv6GQnme60gOyfxDcmxgCVLSG10TU4NAIcRfIsaTWcB6UY/iECVJfWD dfgKvhzITPwrrPZZXuPXi5IICwo4ytgcH4Zb4KFdebdw1NjR94y2YTAp0nQlqGrYivKl xez3OY1ib6XPGhhUYRkMVtdWxnrjDaS83z1wPmI7ElBTnZvWsgebwkJWB6YMlWkSy06/ LpRNh4rVBZH8o1iUdyqOrG6PT3GOPIDqXTFb0+wx6g7AmTPIAGDfI0KsKRf1DW7fIhIT 0wCw==
X-Gm-Message-State: ALoCoQnVTAT/7KC+NfpUrDP8W2EHEhRc8NVd+J7gLVsCWdCTcCISVR8HnJVJ/LtfR/rCilOM4jbY
X-Received: by 10.107.47.224 with SMTP id v93mr3056319iov.86.1436242997043; Mon, 06 Jul 2015 21:23:17 -0700 (PDT)
Received: from mail-ig0-f182.google.com (mail-ig0-f182.google.com. [209.85.213.182]) by smtp.gmail.com with ESMTPSA id n6sm11132553igv.17.2015.07.06.21.23.16 for <oauth@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Jul 2015 21:23:16 -0700 (PDT)
Received: by igcqs7 with SMTP id qs7so24728280igc.0 for <oauth@ietf.org>; Mon, 06 Jul 2015 21:23:15 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.50.171.232 with SMTP id ax8mr5689013igc.32.1436242995585; Mon, 06 Jul 2015 21:23:15 -0700 (PDT)
Received: by 10.107.32.73 with HTTP; Mon, 6 Jul 2015 21:23:15 -0700 (PDT)
Date: Mon, 6 Jul 2015 21:23:15 -0700
Message-ID: <CAGBSGjpnSndyXWBKwvHH8mKX_79fv31aeTXrFfKyFTJ5dO1T2g@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=089e010d9566902e08051a4161cc
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/QEBurUZ2NR7qUg_a1jryh5e7TBk>
Subject: [OAUTH-WG] invalid_scope in access token request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 04:23:19 -0000

Section 5.2 lists the possible errors the authorization server can return
for an access token request. In the list is "invalid_scope", which as I
understand it, can only be returned for a "password" or
"client_credentials" grant, since scope is not a parameter of an
"authorization_code" grant.

Because of this, I believe the phrase "or exceeds the scope granted by the
resource owner." is unnecessary, since there is no initial grant by the
resource owner. Am I reading this correctly, or is there some situation I
am not thinking of? Thanks!

----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>