Include fewer pieces in Access Token Callback?

[sknebel]

Right now it repeats a bunch of information, this maybe should be reduced?

If it is willing to grant the token as requested, it generates a token and sends it to the Callback URL using a POST request. Its parameters are:

• access_token - the token
• token_type: Bearer
• scope - the scopes for which the token was granted (space-separated list)
• base_uri - the base URI defining the protection space
• realm - the realm if any
• state - the state as submitted by the authorization endpoint in the token request

base_uri and realm can probably be removed(?). In IndieAuth, scope is included in the response, does it make sense here?

access_token, token_type and state are definitively staying.

[aaronpk]

In IndieAuth and OAuth, scope is included only if it's different than the scope the client requested. I'd imagine the same would be true here.

[sknebel]

Hadn't realized thats from OAuth, will add that reference then. https://tools.ietf.org/html/rfc6749#section-5.2

I think overriding the base_uri is a bad idea, so it can be removed. realm maybe, but I think I err towards removing it for now too, and potentially adding it back it if a use case comes up?

[sknebel]

I changed the descriptions and removed those for now.