Re: [OAUTH-WG] SHOULD vs MUST for indicating scope on response when different from client request

Dick Hardt <dick.hardt@gmail.com> Fri, 20 January 2012 23:50 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D13F21F8578 for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 15:50:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2flq7pXmykN4 for <oauth@ietfa.amsl.com>; Fri, 20 Jan 2012 15:50:53 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id DFD7121F85FF for <oauth@ietf.org>; Fri, 20 Jan 2012 15:50:52 -0800 (PST)
Received: by ghbg16 with SMTP id g16so109906ghb.31 for <oauth@ietf.org>; Fri, 20 Jan 2012 15:50:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=Zm6dxPJOoOe+YiuE6TUGWsItIOnxGW6sHYim+kkKNn0=; b=B/q2xqrNs209apJ7n+JTn/R5GdGt2dxQsPAuVq87EggXy4W+EGM/dk8ayAdQLY7h9J ICbqZ13Fdn71femB9xzgErN+vNx+zhLjiO5D0KaOY8uCj/EmtA4cxx8zdeS+C0HPuZYj Os1rE4nCEKUwPdvlmMOJ9vhGPFqZPRuKF5pQo=
Received: by 10.236.179.7 with SMTP id g7mr48513814yhm.74.1327103452499; Fri, 20 Jan 2012 15:50:52 -0800 (PST)
Received: from [192.168.0.40] (S0106602ad0767c15.nb.shawcable.net. [70.74.90.92]) by mx.google.com with ESMTPS id n64sm7993416yhk.4.2012.01.20.15.50.50 (version=SSLv3 cipher=OTHER); Fri, 20 Jan 2012 15:50:51 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: multipart/alternative; boundary="Apple-Mail=_45522EB3-AE25-403A-988F-CACE6341566D"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <b813efbc-5144-4ebb-9211-cb0f39f9da13@email.android.com>
Date: Fri, 20 Jan 2012 16:50:50 -0700
Message-Id: <35BD8E89-A024-4034-8E89-95F4814F9C6C@gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E723453AAB96537@P3PW5EX1MB01.EX1.SECURESERVER.NET> <b813efbc-5144-4ebb-9211-cb0f39f9da13@email.android.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.1251.1)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] SHOULD vs MUST for indicating scope on response when different from client request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2012 23:50:53 -0000

+!

On Jan 20, 2012, at 4:20 PM, Torsten Lodderstedt wrote:

> MUST sounds reasonable 
> 
> 
> 
> Eran Hammer <eran@hueniverse.com> schrieb:
> The current text:
>  
>    If the issued access token scope
>    is different from the one requested by the client, the authorization
>    server SHOULD include the "scope" response parameter to inform the
>    client of the actual scope granted.
>  
> Stephen asked why not a MUST. I think it should be MUST. Any disagreement?
>  
> EHL
>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth