Re: [OAUTH-WG] 'Scope' parameter proposal

please, add the scope parameter to the flows and the refresh token 
request as well. This way, client can obtain refresh tokens with broad 
scope and narrow down it for particular request (least privileges principle)

regards,
Torsten.

Am 19.04.2010 18:25, schrieb Eran Hammer-Lahav:
> Proposal:
>
> 'scope' is defined as a comma-separated list of resource URIs or resource
> groups (e.g. contacts, photos). The server can provide a list of values for
> the client to use in its documentation, or the client can use the URIs or
> scope identifier of the protected resources it is trying to access (before
> or after getting a 401 response).
>
> For example:
>
> 1. Client requests resource
>
>      GET /resource HTTP/1.1
>      Host: example.com
>
> 2. Server requires authentication
>
>      HTTP/1.1 401 Unauthorized
>      WWW-Authenticate: Token realm='Example', scope='x2'
>
> 3. Client requests an access token by including scope=x2 in the request
>
> Alternatively, the client can ask for an access token with
> scope=http://example.com/resource.
>
> If the client needs access to two resource with different scopes, it
> requests an access token for scope=x2,x1.
>
> That's it!
>
> It allows the client to figure out what value to put in the scope parameter
> and how to encode multiple scopes without any server-specific documentation.
> Servers that wish to rely exclusively on paperwork can just omit the scope
> parameter from the WWW-Authenticate header.
>
> We can pick a different separator (space, semicolon, etc.) or different
> parameter name (resource(s)).
>
> EHL
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>    