Re: [OAUTH-WG] SHOULD vs MUST for indicating scope on response when different from client request

Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 20 January 2012 23:22 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E393F21F86AF for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 15:22:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3Q2SvTEU5Z0 for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 15:22:58 -0800 (PST)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.24]) by ietfa.amsl.com (Postfix) with ESMTP id 1A34A21F861B for <oauth@ietf.org>; Fri, 20 Jan 2012 15:22:57 -0800 (PST)
Received: from [91.2.70.47] (helo=[192.168.71.31]) by smtprelay01.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1RoNl4-00081J-8W; Sat, 21 Jan 2012 00:22:55 +0100
References: <90C41DD21FB7C64BB94121FBBC2E723453AAB96537@P3PW5EX1MB01.EX1.SECURESERVER.NET>
User-Agent: K-9 Mail for Android
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453AAB96537@P3PW5EX1MB01.EX1.SECURESERVER.NET>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----WJVYPODLC8YR42PF21QQ7W4O7XG4YH"
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Sat, 21 Jan 2012 00:20:16 +0100
To: Eran Hammer <eran@hueniverse.com>, OAuth WG <oauth@ietf.org>
Message-ID: <b813efbc-5144-4ebb-9211-cb0f39f9da13@email.android.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Subject: Re: [OAUTH-WG] SHOULD vs MUST for indicating scope on response when different from client request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2012 23:22:59 -0000

MUST sounds reasonable 



Eran Hammer <eran@hueniverse.com> schrieb:

The current text:

 

   If the issued access token scope

   is different from the one requested by the client, the authorization

   server SHOULD include the "scope" response parameter to inform the

   client of the actual scope granted.

 

Stephen asked why not a MUST. I think it should be MUST. Any disagreement?

 

EHL