search

oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
https://oauth.net/2.1/
Other
52 stars 27 forks source link

Use of 'permissions' term in refresh token section #164

Closed jogu closed 10 months ago

jogu commented 1 year ago

https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-09.html#section-1.3.2 says:

access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner

I've recently had some in depth conversations about what "permissions" here means. This is the only use of 'permissions' [in this way] in the whole document, and I don't think there's some special thing that's different in the refresh token grant that means we should be using a different word. I think it might be a small improvement to use the same terms as used elsewhere in the document - other words that are already used are "access range", "scopes", "scope-token" and "privileges".

Changing "permissions" to "privileges" seems like it would probably be the most consistent with the rest of the spec.

aaronpk commented 10 months ago

Agreed, I think that's an easy fix. "privileges" is used in a lot of other places already.