shindig-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Matthews <>
Subject Allowing an authorization server to provide an updated scope for OAuth2 tokens
Date Fri, 13 Jan 2012 18:59:59 GMT
Section 3.3 [1] of the OAuth2 spec suggests that an authorization server may
issue an access token with a scope different than what was requested.  It
goes on to say that the authorization server SHOULD include a "scope"
response parameter to inform the client of the actual scope granted.

We'd like to take advantage of this in our internally developed
authorization server. However it appears that Shindig does not look for this
"scope" parameter in the access token response. It always uses the scope
specified in the gadget (which is stored in the OAuth2Accessor).

It seems to me that the TokenAuthorizationResponseHandler should check the
response from the token endpoint to see if it contains an updated scope
instead of only using the scope from the OAuth2Accessor.  Does this seem
like a reasonable interpretation of the OAuth2 spec? If so, I'd be happy to
create a JIRA and contribute a patch.



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message