In sec 6 you can send scope to down scope a refresh token. In that case if the client asks for a scope that was not part of the original code grant then you would return invalid_scope.
It is not an error in the spec. Regards John B. > On Jul 7, 2015, at 11:42 AM, Aaron Parecki <aa...@parecki.com> wrote: > > Section 4.1.1 describes the parameters of the *authorization* request, not > the token request. After the user approves the scope in the authorization > request, the client exchanges the code for the access token. I'm talking > about the token request, where there is no scope parameter listed, section > 4.1.3 https://tools.ietf.org/html/rfc6749#section-4.1.3 > <https://tools.ietf.org/html/rfc6749#section-4.1.3> > > ---- > Aaron Parecki > aaronparecki.com <http://aaronparecki.com/> > @aaronpk <http://twitter.com/aaronpk> > > > On Tue, Jul 7, 2015 at 1:08 AM, Antonio Sanso <asa...@adobe.com > <mailto:asa...@adobe.com>> wrote: > hi Aaron > > On Jul 7, 2015, at 6:23 AM, Aaron Parecki <aa...@parecki.com > <mailto:aa...@parecki.com>> wrote: > >> Section 5.2 lists the possible errors the authorization server can return >> for an access token request. In the list is "invalid_scope", which as I >> understand it, can only be returned for a "password" or "client_credentials" >> grant, since scope is not a parameter of an "authorization_code" grant. > > why not :) ? From https://tools.ietf.org/html/rfc6749#section-4.1.1 > <https://tools.ietf.org/html/rfc6749#section-4.1.1> > > scope > OPTIONAL. The scope of the access request as described by > Section 3.3 <https://tools.ietf.org/html/rfc6749#section-3.3>. > regards > > antonio > >> >> Because of this, I believe the phrase "or exceeds the scope granted by the >> resource owner." is unnecessary, since there is no initial grant by the >> resource owner. Am I reading this correctly, or is there some situation I am >> not thinking of? Thanks! >> >> ---- >> Aaron Parecki >> aaronparecki.com <http://aaronparecki.com/> >> @aaronpk <http://twitter.com/aaronpk> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> <https://www.ietf.org/mailman/listinfo/oauth> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
