Re: [OAUTH-WG] SHOULD vs MUST for indicating scope on response when different from client request

Justin Richer Mon, 23 Jan 2012 08:29:06 -0800

+1, sounds reasonable to me and I don't see why not. Also, it fits withcurrent implementations that I'm familiar with.


 -- Justin


On 01/20/2012 06:19 PM, Eran Hammer wrote:


The current text:

   If the issued access token scope

   is different from the one requested by the client, the authorization

   server SHOULD include the "scope" response parameter to inform the

   client of the actual scope granted.

Stephen asked why not a MUST. I think it should be MUST. Any disagreement?

EHL



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] SHOULD vs MUST for indicating scope on response when different from client request

Reply via email to