Why is the scope "standardised"?

[themihai]

We are using URLs as scopes which makes it easier to mange. As all our API calls are "allowed" so whenever a new URL is available the client can just use it as a scope. Is there any reason to use something like oauth3_message_rwx instead the url(s)(e.g example.org/message/create example.org/message/update example.org/message/write ) ? It seems to me that oauth3_message_rwx adds additional complexity (i.e. an additional map to maintain) with no reward except perhaps being more compact. I would rather propose to require URLs instead of generic scopes (i.e. oauth3_message_rwx ) and perhaps standardise the URL/query authorization model ( e.g. example.com/items/* )

[coolaj86]

One of tho goals of OAuth3 is to support the peer-web, which means that we need apps and devices to be able to interact without knowing internal implementation details.

For scopes that are specific to your backend it won't matter how you name them, just as with OAuth2.

However, for the common APIs that are available on Phones, Tablets, Web Apps, etc there need to be standardized scopes so that any particular app can determine if any particular service supports messaging or alarms (reminders) or file storage, etc.

[themihai]

That makes sense though I think the services should be more specific. (i.e. smsRWX or emailRWX instead of messagingRWX).

[coolaj86]

It needs to treat a message as a message as a message - no matter whether it's a proprietary system or a carrier-specific system or a standard system.

Otherwise it'll just start to explode with facebook_message_rxw, tweet_rxw, etc.