Re: [OAUTH-WG] invalid_scope in access token request

Antonio Sanso <asanso@adobe.com> Tue, 07 July 2015 08:08 UTC

Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F93F1A1A7C for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 01:08:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OJKIwgnx2BeQ for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 01:08:05 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0080.outbound.protection.outlook.com [65.55.169.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A6F61A017A for <oauth@ietf.org>; Tue, 7 Jul 2015 01:08:04 -0700 (PDT)
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) with Microsoft SMTP Server (TLS) id 15.1.207.19; Tue, 7 Jul 2015 08:08:03 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0207.004; Tue, 7 Jul 2015 08:08:03 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Aaron Parecki <aaron@parecki.com>
Thread-Topic: [OAUTH-WG] invalid_scope in access token request
Thread-Index: AQHQuGytQ3/JaE/ixkyN5+8QY0DqNp3PrDOA
Date: Tue, 7 Jul 2015 08:08:03 +0000
Message-ID: <901C9552-290C-423C-B9A8-8204824A9131@adobe.com>
References: <CAGBSGjpnSndyXWBKwvHH8mKX_79fv31aeTXrFfKyFTJ5dO1T2g@mail.gmail.com>
In-Reply-To: <CAGBSGjpnSndyXWBKwvHH8mKX_79fv31aeTXrFfKyFTJ5dO1T2g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: parecki.com; dkim=none (message not signed) header.d=none;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [192.147.117.11]
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1030; 5:8wo97xpkflDpXZa2tgfIM7rM8UHNyD40HywsTFdY3JyF50ns5GtKRFZRl6go0GBenu3OG/6W8rjFqOsogYZ7+HoRxWzdL9VUdatLugxDnK/a9mP0pqZftetQf3U7jzEC/0ldi/HfjUz9VFYzMY+ySg==; 24:XJj0HroMSL4QJr2twRbhzvIciBifkIXhw9/Qemg+wxyDhZM8Iw8Zx6/4WUa6s5+i3/NdIzcFJ3v56Khayj3NyW9V67nC2KMGpwbSHQqtAzg=; 20:7p1EK537Hg2sHMimey5HbGTNRN9N95EtyJCpqScQSJx4kkvEgHMBkVtBhozwzNgV/SRdsfrTgvcmg/B4BGV5YA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0201MB1030;
x-microsoft-antispam-prvs: <BY1PR0201MB10309FF789BCF5B26020D49FD9920@BY1PR0201MB1030.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY1PR0201MB1030; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1030;
x-forefront-prvs: 0630013541
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(24454002)(377454003)(2950100001)(106116001)(33656002)(87936001)(86362001)(50986999)(19617315012)(551544002)(92566002)(15395725005)(2900100001)(16236675004)(40100003)(99286002)(19580395003)(82746002)(2656002)(19580405001)(122556002)(36756003)(66066001)(5002640100001)(5001960100002)(76176999)(110136002)(77096005)(54356999)(62966003)(83716003)(189998001)(46102003)(77156002)(102836002)(15975445007)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1030; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: multipart/alternative; boundary="_000_901C9552290C423CB9A88204824A9131adobecom_"
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jul 2015 08:08:03.1612 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1030
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/tcvQqCISTVt-9qXin5Xqj2AeYQw>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] invalid_scope in access token request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 08:08:07 -0000

hi Aaron

On Jul 7, 2015, at 6:23 AM, Aaron Parecki <aaron@parecki.com<mailto:aaron@parecki.com>> wrote:

Section 5.2 lists the possible errors the authorization server can return for an access token request. In the list is "invalid_scope", which as I understand it, can only be returned for a "password" or "client_credentials" grant, since scope is not a parameter of an "authorization_code" grant.

why not :) ? From https://tools.ietf.org/html/rfc6749#section-4.1.1


 scope
         OPTIONAL.  The scope of the access request as described by
         Section 3.3<https://tools.ietf.org/html/rfc6749#section-3.3>.3>.

regards

antonio


Because of this, I believe the phrase "or exceeds the scope granted by the resource owner." is unnecessary, since there is no initial grant by the resource owner. Am I reading this correctly, or is there some situation I am not thinking of? Thanks!

----
Aaron Parecki
aaronparecki.com<http://aaronparecki.com/>
@aaronpk<http://twitter.com/aaronpk>

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth