IETF Logo Mail Archive

[OAUTH-WG] Scopes in access token response

Andreas Kohn <andreas.kohn@gmail.com> Tue, 03 December 2013 11:56 UTC

Return-Path: <andreas.kohn@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 404B61AE11B for <oauth@ietfa.amsl.com>; Tue, 3 Dec 2013 03:56:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P-qXiAJjygTD for <oauth@ietfa.amsl.com>; Tue, 3 Dec 2013 03:56:01 -0800 (PST)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) by ietfa.amsl.com (Postfix) with ESMTP id 716EE1AE0FC for <oauth@ietf.org>; Tue, 3 Dec 2013 03:56:01 -0800 (PST)
Received: by mail-wg0-f50.google.com with SMTP id a1so11601403wgh.29 for <oauth@ietf.org>; Tue, 03 Dec 2013 03:55:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=6KJeDwIJ1u1jDXT0sGRHRLTrdoJ4TfLP4CsCgkgHG7A=; b=VdnDIF4pkTuKLyBOKj0eVcTw9nHAlDc91VnRm/YdWDD+PwQEl6R7zOyCMWIx8tgjl9 VEP90e2dk5i7R12Mu6ZWy91y4anpQg3JIz+MVIDJm5BYrM7OE/zWnTXOz/CRwpmLRB68 skBO0H/WNWMmQD+Kr67j4opHyq/Q19rsRmfjM7Iq/mLdPNIyWIfi+PbdmouHJoF8sMU3 PsUkWn9D9m7XCh3tJeV1BuT3DbgNHCrHllvD1F4U3gFhc2tZYEj0ZhmRvLEBUDp6Y4V6 6jaUVLYal2wgz0SJZGOH19xTh9ZAHeAvZZHL//EA/g+Gc6ZY8camblyRAnrBjebNDVlh fkjw==
MIME-Version: 1.0
X-Received: by 10.194.20.230 with SMTP id q6mr6758380wje.49.1386071758426; Tue, 03 Dec 2013 03:55:58 -0800 (PST)
Received: by 10.194.249.97 with HTTP; Tue, 3 Dec 2013 03:55:58 -0800 (PST)
Date: Tue, 03 Dec 2013 12:55:58 +0100
Message-ID: <CAApR0qqhLtY1LB5ysQjBwBATwZdMD+tUNjT=K8qoX9vPeug3WA@mail.gmail.com>
From: Andreas Kohn <andreas.kohn@gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="047d7b5d971bcb581404ec9ffa52"
Subject: [OAUTH-WG] Scopes in access token response
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2013 11:56:03 -0000

Hi,

the current RFC for OAuth 2.0 (http://www.rfc-editor.org/rfc/rfc6749.txt)
is very unclear on *how* to return the scope in the access token response
if there are multiple scopes requested/returned.

Could someone please clarify whether the scopes are supposed to be returned
as
1. space separated string value (i.e. in the same syntax in which they came
in), or
2. as JSON array (looks most "JSON-y"), or
3. in another format (for example github uses ',')

There is a related question on stackoverflow:
http://stackoverflow.com/questions/13290994/how-should-approved-scopes-be-returned-from-an-oauth2-0


Regards,
--
Andreas

v2.23.0 | Report a Bug | By Email