Section 4.1.1 describes the parameters of the *authorization* request, not the token request. After the user approves the scope in the authorization request, the client exchanges the code for the access token. I'm talking about the token request, where there is no scope parameter listed, section 4.1.3 https://tools.ietf.org/html/rfc6749#section-4.1.3
---- Aaron Parecki aaronparecki.com @aaronpk <http://twitter.com/aaronpk> On Tue, Jul 7, 2015 at 1:08 AM, Antonio Sanso <asa...@adobe.com> wrote: > hi Aaron > > On Jul 7, 2015, at 6:23 AM, Aaron Parecki <aa...@parecki.com> wrote: > > Section 5.2 lists the possible errors the authorization server can > return for an access token request. In the list is "invalid_scope", which > as I understand it, can only be returned for a "password" or > "client_credentials" grant, since scope is not a parameter of an > "authorization_code" grant. > > > why not :) ? From https://tools.ietf.org/html/rfc6749#section-4.1.1 > > scope > OPTIONAL. The scope of the access request as described by > Section 3.3 <https://tools.ietf.org/html/rfc6749#section-3.3>. > > regards > > antonio > > > Because of this, I believe the phrase "or exceeds the scope granted by > the resource owner." is unnecessary, since there is no initial grant by the > resource owner. Am I reading this correctly, or is there some situation I > am not thinking of? Thanks! > > ---- > Aaron Parecki > aaronparecki.com > @aaronpk <http://twitter.com/aaronpk> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
