Re: [OAUTH-WG] invalid_scope in access token request
Aaron Parecki <aaron@parecki.com> Tue, 07 July 2015 15:18 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB4B41A88EF for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 08:18:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.478
X-Spam-Level:
X-Spam-Status: No, score=0.478 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RR0mS9yOpe_V for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 08:18:10 -0700 (PDT)
Received: from mail-ie0-f178.google.com (mail-ie0-f178.google.com [209.85.223.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3202C1A88EC for <oauth@ietf.org>; Tue, 7 Jul 2015 08:18:10 -0700 (PDT)
Received: by ieqy10 with SMTP id y10so136779628ieq.0 for <oauth@ietf.org>; Tue, 07 Jul 2015 08:18:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=hbYKvMTyIbPi50MtoHj0y2RrexVq66XJV9ztWuZbKFA=; b=d7T4eEQx8lFerx/DADoQshN7DzO1+ScvzK3Kz8ExtkwrCL7zYLj0wJ+M57cin+3DGM m529MR8oTxZQ1d3hIt3BRPSbOR+z2G5JRAxyaEbSCPsTYWYVJ7+AOSC9uiciBK2WpAJe 0XPOUdkzArfSuh8Di+nb9Rkdv/iJRElS5Ak2Q0/TutlzpvCCUHkcB2/KVK4GS27zxhNw ZH+E2pnpYdO1rtDFDSLXXOSMPivHNPiWzV2GXBlPRjc7GeV0Vzip3J92CXNd/ii9cBwX 8HbXizHUAS6EKDH8CkVuW9a+IvxDhN8UWf5jzbIaPtpqXHFzN9yVwNV8EnfI8mKt+oXr Cjdg==
X-Gm-Message-State: ALoCoQmjYhjNzWIk8Uap2KY3W86kDUm6Jv/2UTOMqopKTZP7fCbA5gAeGgda5tCQ8c7tVJQIQtD2
X-Received: by 10.50.142.9 with SMTP id rs9mr49424061igb.17.1436282289653; Tue, 07 Jul 2015 08:18:09 -0700 (PDT)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com. [209.85.223.172]) by mx.google.com with ESMTPSA id v3sm12048160igk.1.2015.07.07.08.18.08 for <oauth@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Jul 2015 08:18:09 -0700 (PDT)
Received: by iecuq6 with SMTP id uq6so136408665iec.2 for <oauth@ietf.org>; Tue, 07 Jul 2015 08:18:08 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.50.59.211 with SMTP id b19mr75970804igr.42.1436282288658; Tue, 07 Jul 2015 08:18:08 -0700 (PDT)
Received: by 10.107.32.73 with HTTP; Tue, 7 Jul 2015 08:18:08 -0700 (PDT)
In-Reply-To: <9E357BFF-E272-48DD-84B1-CC81E3008AAD@ve7jtb.com>
References: <CAGBSGjpnSndyXWBKwvHH8mKX_79fv31aeTXrFfKyFTJ5dO1T2g@mail.gmail.com> <901C9552-290C-423C-B9A8-8204824A9131@adobe.com> <CAGBSGjqvu5PK5hYTS6w1bXGMtJ=kqS04TLroyaOuGg=fhw4wYw@mail.gmail.com> <9E357BFF-E272-48DD-84B1-CC81E3008AAD@ve7jtb.com>
Date: Tue, 07 Jul 2015 08:18:08 -0700
Message-ID: <CAGBSGjpFEKnCPkue2qQhqYsHO0MOFz4Jep7OEgr3SL_ZAS7e6w@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="047d7bd757589ce4b5051a4a876f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/W9xj-DAKhPzjpEa1m3wmjydCLYg>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] invalid_scope in access token request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 15:18:12 -0000
Thanks, the refresh grant was the case I was missing. ---- Aaron Parecki aaronparecki.com @aaronpk <http://twitter.com/aaronpk> On Tue, Jul 7, 2015 at 8:13 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > In sec 6 you can send scope to down scope a refresh token. > > In that case if the client asks for a scope that was not part of the > original code grant then you would return invalid_scope. > > It is not an error in the spec. > > Regards > John B. > > On Jul 7, 2015, at 11:42 AM, Aaron Parecki <aaron@parecki.com> wrote: > > Section 4.1.1 describes the parameters of the *authorization* request, not > the token request. After the user approves the scope in the authorization > request, the client exchanges the code for the access token. I'm talking > about the token request, where there is no scope parameter listed, section > 4.1.3 https://tools.ietf.org/html/rfc6749#section-4.1.3 > > ---- > Aaron Parecki > aaronparecki.com > @aaronpk <http://twitter.com/aaronpk> > > > On Tue, Jul 7, 2015 at 1:08 AM, Antonio Sanso <asanso@adobe.com> wrote: > >> hi Aaron >> >> On Jul 7, 2015, at 6:23 AM, Aaron Parecki <aaron@parecki.com> wrote: >> >> Section 5.2 lists the possible errors the authorization server can >> return for an access token request. In the list is "invalid_scope", which >> as I understand it, can only be returned for a "password" or >> "client_credentials" grant, since scope is not a parameter of an >> "authorization_code" grant. >> >> >> why not :) ? From https://tools.ietf.org/html/rfc6749#section-4.1.1 >> >> scope >> OPTIONAL. The scope of the access request as described by >> Section 3.3 <https://tools.ietf.org/html/rfc6749#section-3.3>. >> >> regards >> >> antonio >> >> >> Because of this, I believe the phrase "or exceeds the scope granted by >> the resource owner." is unnecessary, since there is no initial grant by the >> resource owner. Am I reading this correctly, or is there some situation I >> am not thinking of? Thanks! >> >> ---- >> Aaron Parecki >> aaronparecki.com >> @aaronpk <http://twitter.com/aaronpk> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] invalid_scope in access token request Aaron Parecki
- Re: [OAUTH-WG] invalid_scope in access token requ… Antonio Sanso
- Re: [OAUTH-WG] invalid_scope in access token requ… Aaron Parecki
- Re: [OAUTH-WG] invalid_scope in access token requ… John Bradley
- Re: [OAUTH-WG] invalid_scope in access token requ… Aaron Parecki