Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E393F21F86AF for ; Fri, 20 Jan 2012 15:22:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.248 X-Spam-Level: X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3Q2SvTEU5Z0 for ; Fri, 20 Jan 2012 15:22:58 -0800 (PST) Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.24]) by ietfa.amsl.com (Postfix) with ESMTP id 1A34A21F861B for ; Fri, 20 Jan 2012 15:22:57 -0800 (PST) Received: from [91.2.70.47] (helo=[192.168.71.31]) by smtprelay01.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from ) id 1RoNl4-00081J-8W; Sat, 21 Jan 2012 00:22:55 +0100 References: <90C41DD21FB7C64BB94121FBBC2E723453AAB96537@P3PW5EX1MB01.EX1.SECURESERVER.NET> User-Agent: K-9 Mail for Android In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453AAB96537@P3PW5EX1MB01.EX1.SECURESERVER.NET> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----WJVYPODLC8YR42PF21QQ7W4O7XG4YH" From: Torsten Lodderstedt Date: Sat, 21 Jan 2012 00:20:16 +0100 To: Eran Hammer ,OAuth WG Message-ID: X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU= Subject: Re: [OAUTH-WG] SHOULD vs MUST for indicating scope on response when different from client request X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jan 2012 23:22:59 -0000 ------WJVYPODLC8YR42PF21QQ7W4O7XG4YH Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MUST sounds reasonable Eran Hammer schrieb: The current text: If the issued access token scope is different from the one requested by the client, the authorization server SHOULD include the "scope" response parameter to inform the client of the actual scope granted. Stephen asked why not a MUST. I think it should be MUST. Any disagreement? EHL ------WJVYPODLC8YR42PF21QQ7W4O7XG4YH Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit MUST sounds reasonable



Eran Hammer <eran@hueniverse.com> schrieb:

The current text:

 

   If the issued access token scope

   is different from the one requested by the client, the authorization

   server SHOULD include the "scope" response parameter to inform the

   client of the actual scope granted.

 

Stephen asked why not a MUST. I think it should be MUST. Any disagreement?

 

EHL

 

------WJVYPODLC8YR42PF21QQ7W4O7XG4YH--