In Section 6.1, Handling Denials of incremental authorization requests, I wonder if the resource owner should be provided the ability by the Authorization Server to reject not just the additional scope(s) but also all previously granted ones. This would be to guard against the client withholding dubious permission requests at the outset that might indicate to the resource owner that the client isn't particularly reliable, scopes that if they were provided all at once at the beginning would have resulted in the user never approving any of them. In the user is inclined to deny an additional permission request due to a newfound lack of trust, he may also want to immediately decline previously granted permissions as well.
In Section 7.2, it seems odd for the Authorization Server to rely on the client to tell it what scopes has already been approved for it. I would think there would need to be a mechanism for the Auth Server to verify that information, but given that, why not rely on that information directly instead of what the client would be informing it? Regards, Glen
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
