IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth 2.0 server behavior

Subbu Allamaraju <subbu@subbu.org> Mon, 29 November 2010 20:43 UTC

Return-Path: <subbu@subbu.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 103AA28C134 for <oauth@core3.amsl.com>; Mon, 29 Nov 2010 12:43:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1XIbICUwuqyh for <oauth@core3.amsl.com>; Mon, 29 Nov 2010 12:43:27 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 678A528C10C for <oauth@ietf.org>; Mon, 29 Nov 2010 12:43:27 -0800 (PST)
Received: by fxm9 with SMTP id 9so3907089fxm.31 for <oauth@ietf.org>; Mon, 29 Nov 2010 12:44:37 -0800 (PST)
Received: by 10.223.115.203 with SMTP id j11mr5839196faq.35.1291063476140; Mon, 29 Nov 2010 12:44:36 -0800 (PST)
Received: from [192.168.0.32] (71-37-49-53.tukw.qwest.net [71.37.49.53]) by mx.google.com with ESMTPS id c10sm1377759fat.6.2010.11.29.12.44.33 (version=SSLv3 cipher=RC4-MD5); Mon, 29 Nov 2010 12:44:34 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Subbu Allamaraju <subbu@subbu.org>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72343D4B06552C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Mon, 29 Nov 2010 12:44:25 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <5ED8359C-5C46-4121-BDC0-2A5B8F3A4790@subbu.org>
References: <5F4958F3-F1C5-4E0E-9AE4-7042C5EA1AAC@gmail.com> <90C41DD21FB7C64BB94121FBBC2E72343D4B06552C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1082)
Cc: Anton Panasenko <anton.panasenko@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 server behavior
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2010 20:43:29 -0000

Could you point which part of the spec specifies this (am looking at draft 10)? In any case, I would expect the auth server to include the scopes granted in the access token response to avoid any ambiguity.

On Nov 29, 2010, at 8:40 AM, Eran Hammer-Lahav wrote:

> #2. Asking for scope on the access token call can only reduce the already approved scope.
>  
> EHL
>  
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Anton Panasenko
> Sent: Friday, November 26, 2010 10:54 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] OAuth 2.0 server behavior
>  
> Hi,
>  
> What behavior is expected from the server, if in the query on access_token without "scope" (grant_type=authorization_code&client_id=s6BhdRkqt3&client_secret=gX1fBat3bV&code=i1WsRn1uB1&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fc)?
>  
> 1. The server must generate access_token for an empty scope.
> 2. The server must generate access_token for scope, which was approved for access_code.
>  
> --
> Sincerely yours
> Anton Panasenko
> Skype: anton.panasenko
> Phone: +79179838291
> Email: anton.panasenko@gmail.com, apanasenko@me.com
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email