[OAUTH-WG] SHOULD vs MUST for indicating scope on response when different from client request

Eran Hammer <eran@hueniverse.com> Fri, 20 January 2012 23:19 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 992D921F85F0 for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 15:19:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.479
X-Spam-Level:
X-Spam-Status: No, score=-2.479 tagged_above=-999 required=5 tests=[AWL=0.119, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CH5Eacj7+TBG for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 15:19:27 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id C0C2521F85EF for <oauth@ietf.org>; Fri, 20 Jan 2012 15:19:27 -0800 (PST)
Received: (qmail 10914 invoked from network); 20 Jan 2012 23:19:27 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 20 Jan 2012 23:19:27 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Fri, 20 Jan 2012 16:19:23 -0700
From: Eran Hammer <eran@hueniverse.com>
To: OAuth WG <oauth@ietf.org>
Date: Fri, 20 Jan 2012 16:19:12 -0700
Thread-Topic: SHOULD vs MUST for indicating scope on response when different from client request
Thread-Index: AczXydXeHyPxe7flRt6JnM0WhQ4x+A==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453AAB96537@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723453AAB96537P3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: [OAUTH-WG] SHOULD vs MUST for indicating scope on response when different from client request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2012 23:19:28 -0000

The current text:

   If the issued access token scope
   is different from the one requested by the client, the authorization
   server SHOULD include the "scope" response parameter to inform the
   client of the actual scope granted.

Stephen asked why not a MUST. I think it should be MUST. Any disagreement?

EHL