Re: [OAUTH-WG] Gen-ART Telechat review of draft-ietf-oauth-v2-bearer-18.txt

[Justin Richer <jricher@mitre.org>]

>    The "scope" attribute is a space-delimited list of scope values
>    indicating the required scope of the access token for accessing the
>    requested resource.  In some cases, the "scope" value will be used
>    when requesting a new access token with sufficient scope of access to
>    utilize the protected resource.  The "scope" attribute MUST NOT
>    appear more than once.  The "scope" value is intended for
>    programmatic use and is not meant to be displayed to end users.
>
> I don't think this provide enough information about what this is, how 
> it is to be used and which values are allowed. As this is not meant to 
> be displayed to end users, then you need to say what values are 
> allowed and which entity can allocate them. Is there a registry for 
> these tokens, e.g. an IANA registry?
>
> The editor provided explanation in email, however this was not 
> reflected in any version of the draft.

Scopes are service specific and as such their values and semantics are 
defined by each individual authorization server and are not coordinated 
through any centralized repository, registry, or standards body. So long 
as it fits the syntax defined by the grammar, any string is allowed.

>
> 2). Section "3.1.  Error Codes"
>
> I've suggested to use an IANA registry for this field. Apparently 
> there is already a registry created by 
> <http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-11.4>. 
> However this document doesn't register values defined in section 3.1 
> with IANA and doesn't point to draft-ietf-oauth-v2-23 for the 
> registry. I find this to be very confusing.

Seems like there should be a simple pointer to OAuth2 section 8.5 or 
11.4 here, and "insufficient_scope" does need to be registered, doesn't 
it? Though these are errors coming from the PR and not the token 
endpoint, so maybe they all need to be registered.

  -- Justin