"scope" is about the permissions that a client application is requesting. But if those permissions are inherently bound to the users becaus the users have certain roles, the Access Token requested for a user can be bound to those roles by the Authorization server. I don't feel there's a requirement to use "scope" at all.
If, however, you want client applications to specifically state for which role they're requesting access, there's nothing to prevent you from implementing the scheme suggested. The specification doesn't state any format of scopes and neither does it say anything on how the scope values are converted into actual access privileges. Regards, Lukas Rosenstock 2010/7/6 wjgerritsen <epsilon...@gmail.com>: > Hi, > > I am playing with the idea of using role names in the scope parameter > (of RequestToken endpoint) for authorizing to our platform. It will > work somehow like this: A user has a number of roles: e.g. SalesRep, > Employee, Manager. To each role a consistent privilege set is > assigned, so the user would also be able to use (part of) the > functionality of the platform with only one role. > > Then the token would be bound to a certain role (e.g. SalesRep), such > that the consumer app cannot excercise all privileges of the user, but > only those limited to the assigned scope, which is a role. Upon app > registration, it will be made clear which roles are liable for the > scope parameter. > > Any comments? > > regards, > Willem Jan > > -- > You received this message because you are subscribed to the Google Groups > "OAuth" group. > To post to this group, send email to oa...@googlegroups.com. > To unsubscribe from this group, send email to > oauth+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/oauth?hl=en. > > -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
