0

From what I can tell from https://www.rfc-editor.org/rfc/rfc6749#section-3.3, Isn't required to return the scope (unless the scope was changed), am I reading this correctly?

I noticed that Google wasn't sending while I was troubleshooting #28011269, is this normal, though?

Community
  • 1
  • 1
flamusdiu
  • 1,722
  • 2
  • 14
  • 31

1 Answers1

0

The Authorization Server may choose not to send a scope value in the response if all of the requested scopes in the client's request were granted. If any of the requested scopes were not granted, it must return the actual granted scopes.

Also, if the client did not request any specific scopes, it may choose not to return a scope value assuming that it has a documented default value and the client knows about it, or else it may fail the request indicating an invalid scope.

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • I am still new at Oauth authentication. I wasn't sure if I was looking correctly. Though, it does show that Plython's oauthlib application has a bug when using the Google's oauth2. Thanks for the information, Hans. – flamusdiu Jan 21 '15 at 00:41