Closed mrpotes closed 7 years ago
We tried that -- the problem comes with being clear on how these should be applied, and where in the process. We don't specify what it means for a scope to be "registered" for the client, just like 6749 doesn't specify what it means for a redirect URI to be "registered". But in practice, this falls out to a few common implementations. The trick is being able to predict what will happen and react accordingly on all sides.
If you've tried and failed to simplify it, fair enough, I'll close this issue as I don't feel too strongly about it.
Not saying it can't be done better, just that we didn't come up with something.
On re-reading section 3.3.4, what do we think we gain by making the ClientRegistered set of scopes a first class citizen of the set math? If the AS supports pre-registration of scope (which it is not required to do by either 6749 or 7591), those scope values are simply another form of scope policy that the AS can apply to the union of Ticket scope and Requested scope. Would it be better to restructure 3.3.4 to instead state ClientRegistered scope as an example of a policy that the AS may apply to the scope when deciding what to grant in any returned RPT.