+1 Eran's proposal as well
On Mon, Apr 19, 2010 at 1:34 PM, Torsten Lodderstedt <tors...@lodderstedt.net> wrote: > +1 > > Am 19.04.2010 18:25, schrieb Eran Hammer-Lahav: >> >> Proposal: >> >> 'scope' is defined as a comma-separated list of resource URIs or resource >> groups (e.g. contacts, photos). The server can provide a list of values >> for >> the client to use in its documentation, or the client can use the URIs or >> scope identifier of the protected resources it is trying to access (before >> or after getting a 401 response). >> >> For example: >> >> 1. Client requests resource >> >> GET /resource HTTP/1.1 >> Host: example.com >> >> 2. Server requires authentication >> >> HTTP/1.1 401 Unauthorized >> WWW-Authenticate: Token realm='Example', scope='x2' >> >> 3. Client requests an access token by including scope=x2 in the request >> >> Alternatively, the client can ask for an access token with >> scope=http://example.com/resource. >> >> If the client needs access to two resource with different scopes, it >> requests an access token for scope=x2,x1. >> >> That's it! >> >> It allows the client to figure out what value to put in the scope >> parameter >> and how to encode multiple scopes without any server-specific >> documentation. >> Servers that wish to rely exclusively on paperwork can just omit the scope >> parameter from the WWW-Authenticate header. >> >> We can pick a different separator (space, semicolon, etc.) or different >> parameter name (resource(s)). >> >> EHL >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
