The way APIs are generally designed, the first option seems the most likely/reasonable/privacy-protecting. If that's the case, what other design considerations would there (have to) be for scope sets? E.g., our notes from last week had this list in it:
- The universe of scopes the RS has registered for the resource set
- The scopes the client has registered for at the AS (if it has done this at all)
- What the RO has attached to the policy for the resource set
- What the RS requests for at the permission endpoint (in order to get a ticket)
- The scopes the client requests at the token endpoint
There would need to be some insertions and questions answered for at least #1, #2, and #5.
Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl