Could you point which part of the spec specifies this (am looking at draft 10)?
In any case, I would expect the auth server to include the scopes granted in
the access token response to avoid any ambiguity.
On Nov 29, 2010, at 8:40 AM, Eran Hammer-Lahav wrote:
> #2. Asking for scope on the acce
#2. Asking for scope on the access token call can only reduce the already
approved scope.
EHL
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Anton
Panasenko
Sent: Friday, November 26, 2010 10:54 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] OAuth 2.0 server behavior
Hi,
Hi,
What behavior is expected from the server, if in the query on access_token
without "scope"
(grant_type=authorization_code&client_id=s6BhdRkqt3&client_secret=gX1fBat3bV&code=i1WsRn1uB1&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fc)?
1. The server must generate access_token for an emp
