Closed aaronpk closed 3 years ago
dickhardt
commented
3 years ago to me, insufficient_scope => the client does not have scope required for the request invalid_scope => when I see invalid_scope, I think that the RS does not understand what scope the client has
dickhardt
commented
3 years ago I'll get clarity for what Vittorio is asking for.
dickhardt
commented
3 years ago Here is my restatement from thread with Vittorio:
"insufficient_scopes" - is the correct error to return if the application has not been granted the scopes required for the request
Vittorio: "to me the highest order but is ensuring that the reader doesn’t abuse insufficient_scopes and realizes other error codes are possible."
I've submitted a pull request with suggested language changes
From Vittorio:
§7.2.3 The “insufficient_scope” description here is problematic. The privileges the AT carries/points to are not necessarily (or exclusively) represented by the included scopes (eg the RO might have granted document:read to the client, but RO might have no privileges for the particular document being requested in this particular call). It might be useful to specify that “invalid_scope” should be used for authorization errors that can be actually expressed in terms of delegated authorization, leaving to RS implementers the freedom to handle other authorization issues (eg user privileges, RBAC, etc) with a different error code. Or at least, we should be clear that authorization logic not expressed via scopes is out of scope (pun not intended) for this specification. Note, this isn’t an abstract problem: there are SDKs out there that use “invalid_scope” for every permission issues. Very confusing.