Re: [OAUTH-WG] invalid_scope in access token request

John Bradley <ve7jtb@ve7jtb.com> Tue, 07 July 2015 15:13 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F81C1ACD91 for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 08:13:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.145
X-Spam-Level:
X-Spam-Status: No, score=-0.145 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VZOO4D1t9QFs for <oauth@ietfa.amsl.com>; Tue, 7 Jul 2015 08:13:28 -0700 (PDT)
Received: from mail-qk0-f170.google.com (mail-qk0-f170.google.com [209.85.220.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F9D31ACDA3 for <oauth@ietf.org>; Tue, 7 Jul 2015 08:13:28 -0700 (PDT)
Received: by qkeo142 with SMTP id o142so142011992qke.1 for <oauth@ietf.org>; Tue, 07 Jul 2015 08:13:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=XkfpLbkXf1tIIqD9o0DiMeLgkcqDWYl0bGiZolYVzAU=; b=fRMCCh2/+Xsx9/oUi2lY5iSQwoWrJn+0C0NMJRrzSViCBRJDyohJ/Za1BeWnYdDWY/ OIjGL9VDLDG/AgMnBmiceMwHt1tqpQ7o5ZesRCNLQ2LQMetlcTBcFbdaac8vMViqRzyS l7BHhJMGBhqS8IH8wxnhE6w4CzRYC+K2pLKMnppD7Ly3X1hpoFttnZMWicVB9eIvHeJ0 dCo519aGD/iQsn51m3D+n//QEon6cKfxl+9CjYOsMVGTox4eJvxj3iZ+XOJbyFWFRU27 dAyUIByT582g2bMwbsq7X/W+VRJ0fCBK1w95VSYS7NeePpLwKtE3wXhZGVlINj3zgk6s QBhQ==
X-Gm-Message-State: ALoCoQnWIhaZhLAMQHT8JxsTuivQc0G1F4fLHFMYfKaeea8mjXxT6xeHb0n9wNhtcwQKaKWvs+7H
X-Received: by 10.140.84.137 with SMTP id l9mr7632946qgd.94.1436282007477; Tue, 07 Jul 2015 08:13:27 -0700 (PDT)
Received: from [192.168.8.102] ([181.202.145.27]) by mx.google.com with ESMTPSA id 197sm11240281qhq.23.2015.07.07.08.13.25 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 07 Jul 2015 08:13:26 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_670D484C-9E01-4A97-8BFD-3F527C1F52B1"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAGBSGjqvu5PK5hYTS6w1bXGMtJ=kqS04TLroyaOuGg=fhw4wYw@mail.gmail.com>
Date: Tue, 7 Jul 2015 12:13:21 -0300
Message-Id: <9E357BFF-E272-48DD-84B1-CC81E3008AAD@ve7jtb.com>
References: <CAGBSGjpnSndyXWBKwvHH8mKX_79fv31aeTXrFfKyFTJ5dO1T2g@mail.gmail.com> <901C9552-290C-423C-B9A8-8204824A9131@adobe.com> <CAGBSGjqvu5PK5hYTS6w1bXGMtJ=kqS04TLroyaOuGg=fhw4wYw@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
X-Mailer: Apple Mail (2.2102)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/w3nd3_0Ph990oIZGqIy_kmGsXgQ>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] invalid_scope in access token request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 15:13:30 -0000

In sec 6 you can send scope to down scope a refresh token.

In that case if the client asks for a scope that was not part of the original code grant then you would  return invalid_scope.

It is not an error in the spec.

Regards
John B.

> On Jul 7, 2015, at 11:42 AM, Aaron Parecki <aaron@parecki.com> wrote:
> 
> Section 4.1.1 describes the parameters of the *authorization* request, not the token request. After the user approves the scope in the authorization request, the client exchanges the code for the access token. I'm talking about the token request, where there is no scope parameter listed, section 4.1.3 https://tools.ietf.org/html/rfc6749#section-4.1.3 <https://tools.ietf.org/html/rfc6749#section-4.1.3>
> 
> ----
> Aaron Parecki
> aaronparecki.com <http://aaronparecki.com/>
> @aaronpk <http://twitter.com/aaronpk>
> 
> 
> On Tue, Jul 7, 2015 at 1:08 AM, Antonio Sanso <asanso@adobe.com <mailto:asanso@adobe.com>> wrote:
> hi Aaron
> 
> On Jul 7, 2015, at 6:23 AM, Aaron Parecki <aaron@parecki.com <mailto:aaron@parecki.com>> wrote:
> 
>> Section 5.2 lists the possible errors the authorization server can return for an access token request. In the list is "invalid_scope", which as I understand it, can only be returned for a "password" or "client_credentials" grant, since scope is not a parameter of an "authorization_code" grant. 
> 
> why not :) ? From https://tools.ietf.org/html/rfc6749#section-4.1.1 <https://tools.ietf.org/html/rfc6749#section-4.1.1> 
> 
>  scope
>          OPTIONAL.  The scope of the access request as described by
>          Section 3.3 <https://tools.ietf.org/html/rfc6749#section-3.3>.
> regards
> 
> antonio
> 
>> 
>> Because of this, I believe the phrase "or exceeds the scope granted by the resource owner." is unnecessary, since there is no initial grant by the resource owner. Am I reading this correctly, or is there some situation I am not thinking of? Thanks!
>> 
>> ----
>> Aaron Parecki
>> aaronparecki.com <http://aaronparecki.com/>
>> @aaronpk <http://twitter.com/aaronpk>
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth