Re: [OAUTH-WG] invalid_scope in access token request

Aaron Parecki <aaron@parecki.com> Tue, 07 July 2015 15:18 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB4B41A88EF for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 08:18:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.478
X-Spam-Level:
X-Spam-Status: No, score=0.478 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RR0mS9yOpe_V for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 08:18:10 -0700 (PDT)
Received: from mail-ie0-f178.google.com (mail-ie0-f178.google.com [209.85.223.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3202C1A88EC for <oauth@ietf.org>; Tue, 7 Jul 2015 08:18:10 -0700 (PDT)
Received: by ieqy10 with SMTP id y10so136779628ieq.0 for <oauth@ietf.org>; Tue, 07 Jul 2015 08:18:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=hbYKvMTyIbPi50MtoHj0y2RrexVq66XJV9ztWuZbKFA=; b=d7T4eEQx8lFerx/DADoQshN7DzO1+ScvzK3Kz8ExtkwrCL7zYLj0wJ+M57cin+3DGM m529MR8oTxZQ1d3hIt3BRPSbOR+z2G5JRAxyaEbSCPsTYWYVJ7+AOSC9uiciBK2WpAJe 0XPOUdkzArfSuh8Di+nb9Rkdv/iJRElS5Ak2Q0/TutlzpvCCUHkcB2/KVK4GS27zxhNw ZH+E2pnpYdO1rtDFDSLXXOSMPivHNPiWzV2GXBlPRjc7GeV0Vzip3J92CXNd/ii9cBwX 8HbXizHUAS6EKDH8CkVuW9a+IvxDhN8UWf5jzbIaPtpqXHFzN9yVwNV8EnfI8mKt+oXr Cjdg==
X-Gm-Message-State: ALoCoQmjYhjNzWIk8Uap2KY3W86kDUm6Jv/2UTOMqopKTZP7fCbA5gAeGgda5tCQ8c7tVJQIQtD2
X-Received: by 10.50.142.9 with SMTP id rs9mr49424061igb.17.1436282289653; Tue, 07 Jul 2015 08:18:09 -0700 (PDT)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com. [209.85.223.172]) by mx.google.com with ESMTPSA id v3sm12048160igk.1.2015.07.07.08.18.08 for <oauth@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Jul 2015 08:18:09 -0700 (PDT)
Received: by iecuq6 with SMTP id uq6so136408665iec.2 for <oauth@ietf.org>; Tue, 07 Jul 2015 08:18:08 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.50.59.211 with SMTP id b19mr75970804igr.42.1436282288658; Tue, 07 Jul 2015 08:18:08 -0700 (PDT)
Received: by 10.107.32.73 with HTTP; Tue, 7 Jul 2015 08:18:08 -0700 (PDT)
In-Reply-To: <9E357BFF-E272-48DD-84B1-CC81E3008AAD@ve7jtb.com>
References: <CAGBSGjpnSndyXWBKwvHH8mKX_79fv31aeTXrFfKyFTJ5dO1T2g@mail.gmail.com> <901C9552-290C-423C-B9A8-8204824A9131@adobe.com> <CAGBSGjqvu5PK5hYTS6w1bXGMtJ=kqS04TLroyaOuGg=fhw4wYw@mail.gmail.com> <9E357BFF-E272-48DD-84B1-CC81E3008AAD@ve7jtb.com>
Date: Tue, 7 Jul 2015 08:18:08 -0700
Message-ID: <CAGBSGjpFEKnCPkue2qQhqYsHO0MOFz4Jep7OEgr3SL_ZAS7e6w@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary=047d7bd757589ce4b5051a4a876f
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/W9xj-DAKhPzjpEa1m3wmjydCLYg>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] invalid_scope in access token request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 15:18:12 -0000

Thanks, the refresh grant was the case I was missing.

----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>


On Tue, Jul 7, 2015 at 8:13 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> In sec 6 you can send scope to down scope a refresh token.
>
> In that case if the client asks for a scope that was not part of the
> original code grant then you would  return invalid_scope.
>
> It is not an error in the spec.
>
> Regards
> John B.
>
> On Jul 7, 2015, at 11:42 AM, Aaron Parecki <aaron@parecki.com> wrote:
>
> Section 4.1.1 describes the parameters of the *authorization* request, not
> the token request. After the user approves the scope in the authorization
> request, the client exchanges the code for the access token. I'm talking
> about the token request, where there is no scope parameter listed, section
> 4.1.3 https://tools.ietf.org/html/rfc6749#section-4.1.3
>
> ----
> Aaron Parecki
> aaronparecki.com
> @aaronpk <http://twitter.com/aaronpk>
>
>
> On Tue, Jul 7, 2015 at 1:08 AM, Antonio Sanso <asanso@adobe.com> wrote:
>
>>  hi Aaron
>>
>>  On Jul 7, 2015, at 6:23 AM, Aaron Parecki <aaron@parecki.com> wrote:
>>
>>  Section 5.2 lists the possible errors the authorization server can
>> return for an access token request. In the list is "invalid_scope", which
>> as I understand it, can only be returned for a "password" or
>> "client_credentials" grant, since scope is not a parameter of an
>> "authorization_code" grant.
>>
>>
>>  why not :) ? From https://tools.ietf.org/html/rfc6749#section-4.1.1
>>
>>   scope
>>          OPTIONAL.  The scope of the access request as described by
>>          Section 3.3 <https://tools.ietf.org/html/rfc6749#section-3.3>.
>>
>> regards
>>
>>  antonio
>>
>>
>>  Because of this, I believe the phrase "or exceeds the scope granted by
>> the resource owner." is unnecessary, since there is no initial grant by the
>> resource owner. Am I reading this correctly, or is there some situation I
>> am not thinking of? Thanks!
>>
>>  ----
>> Aaron Parecki
>> aaronparecki.com
>> @aaronpk <http://twitter.com/aaronpk>
>>
>>   _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>