It would be nice to be able to associate a "scope" with an SSO OAuth token
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
New
|
Undecided
|
Unassigned |
Bug Description
This bug probably counts as a wishlist for the next iteration of the SSO API rather than something that can be backported.
It would be nice if the SSO API allowed you to associate a scope with an OAuth token. The scope value could then be used by an application to decide whether it should accept a token. This way applications could create tokens without fear that if the token is compromised it could be used to attack unrelated services that talk to SSO.
Ubuntu One already does something like this when importing SSO tokens by calling authentications
As far as the structure of the scope values, it would probably be worth staying compatible with OAuth 2:
http://