oauth2.dev

scope

IESG

Registry Context

`scope` is an optional introspection-response member containing the scopes associated with the token as a space-separated string.

Technical Summary

In an RFC 7662 introspection response, `scope` is an OPTIONAL top-level JSON string formatted according to the RFC 6749 scope syntax: one or more space-delimited, case-sensitive scope tokens.

When Used

Returned by an authorization server when disclosing scopes associated with an introspected token.

Normative Requirements

Authorization servers

SHOULD NOT
1

  1. RFC 7662 - Section 2.2

    include `scope` or other additional token information in the introspection response..

    Condition: when the token is inactive.

    the authorization server SHOULD NOT include any additional information about an inactive token

MAY
1

  1. RFC 7662 - Section 2.2

    limit which scopes from a token are returned for each protected resource..

    Condition: when responding to introspection requests from different protected resources.

    an authorization server MAY limit which scopes from a given token are returned for each protected resource

OPTIONAL
1

  1. RFC 7662 - Section 2.2

    include the `scope` top-level member as a JSON string containing a space-separated list of scopes associated with the token, in the RFC 6749 Section 3.3 format..

    scope OPTIONAL.

Validation Guidance

error

If `scope` is present, require its JSON value to be a string rather than an array, object, number, boolean, or null.

error

Validate `scope` against the RFC 6749 grammar `scope-token *( SP scope-token )`; reject empty values, invalid scope-token characters, and separators other than spaces.

error

Treat scope tokens as case-sensitive and do not assign significance to their order.

info

Allow the `scope` member to be omitted.

warning

For an inactive token response, warn if `scope` is included.

Security Notes

RFC 7662 - Section 2.2

An authorization server may limit the scopes returned to each protected resource so that the resource does not learn more about the larger network than is necessary for its operation.

RFC 7662 - Section 2.2

For an inactive token, omitting `scope` and other additional information helps avoid disclosing too much authorization-server state to a third party.

Reference

RFC7662 - Section 2.2

Details

Entry Id
scope
Name
scope
Description
Authorized scopes of the token
Change Controller
IESG
Reference
RFC7662 - Section 2.2