The spec doesn’t mention requesting access to all scopes. remoteStorage.js handles root access by allowing client apps to call access.scope('*', mode) and passing that as the OAuth scope “root”. The spec only forbids using “public” for a normal scope — it would appear that “root” could be the name of a normal scope (that is, a top level folder).
Given this name conflict and the difficulty in changing something long in use, should the spec be changed to also reserve the scope “root”, and specify it refers to access to all folders?
I’m not sure where you have seen a root scope being used. rs.js turns it into *:rw or *:r respectively, which is also what the server implementations that I’m involved with are expecting.
See here e.g.:
This also maps the specification for RS OAuth scopes. (And since category/module names are required to be alphanumerical, there is also no potential clash with a category named *.)
“root:rw” is what Inspektor requests, and the code in Armadietto interprets that as root level. Perhaps they are operating off old versions of the spec and/or library.
When connecting to 5apps.com, the redirect is for *:rw. When connecting to Armadietto, the the redirect is for root:rw. That suggests there’s a difference in the values returned from WebFinger. I’m having trouble capturing the WebFinger responses from both. Is there any documentation on what 5apps.com is returning for WebFinger when the app requests *:rw ?
The access the bearer token gives is the sum of its access scopes,
with each access scope representing the following permissions:
'*:rw') any request,
'*:r') any GET or HEAD request,
<module> ':rw') any requests to paths relative to <storage_root>
that start with '/' <module> '/' or
'/public/' <module> '/',
<module> ':r') any GET or HEAD requests to paths relative to
<storage_root> that start with
'/' <module> '/' or '/public/' <module> '/',