Open
Description
OAuth 2 has "scopes", which allow apps to limit their access to user data. Scopes are required per the spec, so we need to decide what we're going to do with them. (The scope parameter is a space-delimited list.)
There's a few options for what we could do here:
- Ignore the scope parameter, and have a dummy value for clients which need one (e.g.
*) - Allow clients to specify roles they're requesting:
scope=subscribercould be used if the app only needs user-level data, e.g.- We could also allow clients to specify exact caps that they want as well, e.g.
scope=subscriber edit_posts
- We could also allow clients to specify exact caps that they want as well, e.g.
- Use handcrafted scopes:
scope=user.read. I have an existing design for this from the OAuth 1 days.
These each have benefits and drawbacks, so we need to decide what we want to do.