Re: [OAUTH-WG] invalid_scope in access token request

Aaron Parecki <aaron@parecki.com> Tue, 07 July 2015 14:42 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94B231ACCF3 for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 07:42:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.478
X-Spam-Level:
X-Spam-Status: No, score=0.478 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1PmHWBKc09ny for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 07:42:52 -0700 (PDT)
Received: from mail-ig0-f174.google.com (mail-ig0-f174.google.com [209.85.213.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 239AF1ACCED for <oauth@ietf.org>; Tue, 7 Jul 2015 07:42:52 -0700 (PDT)
Received: by igh16 with SMTP id 16so54042811igh.0 for <oauth@ietf.org>; Tue, 07 Jul 2015 07:42:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=j2h6cpR1AS3NaZNLvCSHUhGh8h6ex5QZxJ7yEDx+zL8=; b=UYTcQ/6iAzBbm5c41rLETYlryyj39rZP6oCymVsNoW4mS3ARzR0vD2QD+BeC0+t0Gn c5dqbXIzRuhKAxr0V1lK3j8KmK08azGe4tnkoIar/a9ELJGkHfQNRNYYgBsfr4NLeHeD igkI8wFcn0Y+JkWkbiI6UuSHsNH9ZPklDotm8B6as3y+Cn/GMNUY+4a3xs/XJXpN4kVB etlg+A9BN776Ms6kSyVMnbNdjZD+gQegLNuoeTo6+/LTvjKy4aXVZZ5GTlB17MM02QK5 fhbZeqrIvB8Rn32KCG8IjajlRzWOUPyghlf3MR8IDkpYCjbQ64x1FrSiW59geCtXDzse lbMw==
X-Gm-Message-State: ALoCoQnQjPiJUVH1TaNdpIFqHPBWApgGgJedcEynJBrHMp0RCUVnklReU8fAH/VFCnxX4OfDO9W+
X-Received: by 10.107.168.90 with SMTP id r87mr6998403ioe.4.1436280171520; Tue, 07 Jul 2015 07:42:51 -0700 (PDT)
Received: from mail-ig0-f171.google.com (mail-ig0-f171.google.com. [209.85.213.171]) by mx.google.com with ESMTPSA id j2sm14719295ioo.43.2015.07.07.07.42.49 for <oauth@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Jul 2015 07:42:50 -0700 (PDT)
Received: by igau2 with SMTP id u2so38309410iga.0 for <oauth@ietf.org>; Tue, 07 Jul 2015 07:42:49 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.50.171.232 with SMTP id ax8mr9300612igc.32.1436280169746; Tue, 07 Jul 2015 07:42:49 -0700 (PDT)
Received: by 10.107.32.73 with HTTP; Tue, 7 Jul 2015 07:42:49 -0700 (PDT)
In-Reply-To: <901C9552-290C-423C-B9A8-8204824A9131@adobe.com>
References: <CAGBSGjpnSndyXWBKwvHH8mKX_79fv31aeTXrFfKyFTJ5dO1T2g@mail.gmail.com> <901C9552-290C-423C-B9A8-8204824A9131@adobe.com>
Date: Tue, 7 Jul 2015 07:42:49 -0700
Message-ID: <CAGBSGjqvu5PK5hYTS6w1bXGMtJ=kqS04TLroyaOuGg=fhw4wYw@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
To: Antonio Sanso <asanso@adobe.com>
Content-Type: multipart/alternative; boundary=089e010d956650e4e9051a4a0967
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/sUAQ24eTVG_zXVKgNlRY6H9NPiM>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] invalid_scope in access token request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 14:42:53 -0000

Section 4.1.1 describes the parameters of the *authorization* request, not
the token request. After the user approves the scope in the authorization
request, the client exchanges the code for the access token. I'm talking
about the token request, where there is no scope parameter listed, section
4.1.3 https://tools.ietf.org/html/rfc6749#section-4.1.3

----
Aaron Parecki
aaronparecki.com
@aaronpk <http://twitter.com/aaronpk>


On Tue, Jul 7, 2015 at 1:08 AM, Antonio Sanso <asanso@adobe.com> wrote:

>  hi Aaron
>
>  On Jul 7, 2015, at 6:23 AM, Aaron Parecki <aaron@parecki.com> wrote:
>
>  Section 5.2 lists the possible errors the authorization server can
> return for an access token request. In the list is "invalid_scope", which
> as I understand it, can only be returned for a "password" or
> "client_credentials" grant, since scope is not a parameter of an
> "authorization_code" grant.
>
>
>  why not :) ? From https://tools.ietf.org/html/rfc6749#section-4.1.1
>
>   scope
>          OPTIONAL.  The scope of the access request as described by
>          Section 3.3 <https://tools.ietf.org/html/rfc6749#section-3.3>.
>
> regards
>
>  antonio
>
>
>  Because of this, I believe the phrase "or exceeds the scope granted by
> the resource owner." is unnecessary, since there is no initial grant by the
> resource owner. Am I reading this correctly, or is there some situation I
> am not thinking of? Thanks!
>
>  ----
> Aaron Parecki
> aaronparecki.com
> @aaronpk <http://twitter.com/aaronpk>
>
>   _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>