+1, sounds reasonable to me and I don't see why not. Also, it fits with
current implementations that I'm familiar with.
-- Justin
On 01/20/2012 06:19 PM, Eran Hammer wrote:
The current text:
If the issued access token scope
is different from the one requested by the client, the authorization
server SHOULD include the "scope" response parameter to inform the
client of the actual scope granted.
Stephen asked why not a MUST. I think it should be MUST. Any disagreement?
EHL
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth