Re: [OAUTH-WG] SHOULD vs MUST for indicating scope on response when different from client request
Igor Faynberg <igor.faynberg@alcatel-lucent.com> Sat, 21 January 2012 00:39 UTC
Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BAA411E8073 for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 16:39:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.598
X-Spam-Level:
X-Spam-Status: No, score=-8.598 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0zzH1LkKNc8 for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 16:39:37 -0800 (PST)
Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by ietfa.amsl.com (Postfix) with ESMTP id 522F411E8071 for <oauth@ietf.org>; Fri, 20 Jan 2012 16:39:37 -0800 (PST)
Received: from usnavsmail3.ndc.alcatel-lucent.com (usnavsmail3.ndc.alcatel-lucent.com [135.3.39.11]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id q0L0daaG005830 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Fri, 20 Jan 2012 18:39:36 -0600 (CST)
Received: from umail.lucent.com (umail-ce2.ndc.lucent.com [135.3.40.63]) by usnavsmail3.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q0L0dZsQ017453 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Fri, 20 Jan 2012 18:39:36 -0600
Received: from [135.244.1.84] (faynberg.lra.lucent.com [135.244.1.84]) by umail.lucent.com (8.13.8/TPES) with ESMTP id q0L0dZAt011812; Fri, 20 Jan 2012 18:39:35 -0600 (CST)
Message-ID: <4F1A0947.5080107@alcatel-lucent.com>
Date: Fri, 20 Jan 2012 19:39:35 -0500
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: oauth@ietf.org
References: <90C41DD21FB7C64BB94121FBBC2E723453AAB96537@P3PW5EX1MB01.EX1.SECURESERVER.NET> <b813efbc-5144-4ebb-9211-cb0f39f9da13@email.android.com> <35BD8E89-A024-4034-8E89-95F4814F9C6C@gmail.com>
In-Reply-To: <35BD8E89-A024-4034-8E89-95F4814F9C6C@gmail.com>
Content-Type: multipart/alternative; boundary="------------060704020706060205020900"
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.11
Subject: Re: [OAUTH-WG] SHOULD vs MUST for indicating scope on response when different from client request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Jan 2012 00:39:38 -0000
+1 for MUST.
In addition, I suggest slight rewarding: "the authorization server MUST
include the value of the scope parameter in the response" in place of
"
the authorization
server SHOULD include the "scope" response parameter
"
I think there is one parameter, scope, right?
Igor
On 1/20/2012 6:50 PM, Dick Hardt wrote:
> +!
>
> On Jan 20, 2012, at 4:20 PM, Torsten Lodderstedt wrote:
>
>> MUST sounds reasonable
>>
>>
>>
>> Eran Hammer <eran@hueniverse.com <mailto:eran@hueniverse.com>> schrieb:
>>
>> The current text:
>> If the issued access token scope
>> is different from the one requested by the client, the
>> authorization
>> server SHOULD include the "scope" response parameter to inform the
>> client of the actual scope granted.
>> Stephen asked why not a MUST. I think it should be MUST. Any
>> disagreement?
>> EHL
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] SHOULD vs MUST for indicating scope on… Eran Hammer
- Re: [OAUTH-WG] SHOULD vs MUST for indicating scop… Torsten Lodderstedt
- Re: [OAUTH-WG] SHOULD vs MUST for indicating scop… Dick Hardt
- Re: [OAUTH-WG] SHOULD vs MUST for indicating scop… Igor Faynberg
- Re: [OAUTH-WG] SHOULD vs MUST for indicating scop… John Bradley
- Re: [OAUTH-WG] SHOULD vs MUST for indicating scop… Justin Richer