Scope name for root access — reserve "root"?

The spec doesn’t mention requesting access to all scopes. remoteStorage.js handles root access by allowing client apps to call access.scope('*', mode) and passing that as the OAuth scope “root”. The spec only forbids using “public” for a normal scope — it would appear that “root” could be the name of a normal scope (that is, a top level folder).

Given this name conflict and the difficulty in changing something long in use, should the spec be changed to also reserve the scope “root”, and specify it refers to access to all folders?

I’m not sure where you have seen a root scope being used. rs.js turns it into *:rw or *:r respectively, which is also what the server implementations that I’m involved with are expecting.

See here e.g.:

This also maps the specification for RS OAuth scopes. (And since category/module names are required to be alphanumerical, there is also no potential clash with a category named *.)

“root:rw” is what Inspektor requests, and the code in Armadietto interprets that as root level. Perhaps they are operating off old versions of the spec and/or library.

Doug Reeder

That’s odd. I tried with Inspektor and it uses *:rw for me. Are you sure it’s not Armadietto that transforms it?

When connecting to, the redirect is for *:rw. When connecting to Armadietto, the the redirect is for root:rw. That suggests there’s a difference in the values returned from WebFinger. I’m having trouble capturing the WebFinger responses from both. Is there any documentation on what is returning for WebFinger when the app requests *:rw ?

Found it in access.ts in remotestorage.js:

   * TODO: document
  private _scopeNameForParameter (scope: ScopeEntry): string {
    if ( === '*' && this.storageType) {
      if (this.storageType === '2012.04') {
        return '';
      } else if (this.storageType.match(/remotestorage-0[01]/)) {
        return 'root';

Armadietto was returning a status version of draft-dejong-remotestorage-01.

So, it looks like the spec needs to document that you can request a scope of *

Do we have notes for server implementers, that could be updated to mention this?

Aha, good catch! And should obviously be updated to something more recent.

That’s exactly what it does:

The access the bearer token gives is the sum of its access scopes,
with each access scope representing the following permissions:

'*:rw') any request,

'*:r') any GET or HEAD request,

<module> ':rw') any requests to paths relative to <storage_root>
                that start with '/' <module> '/' or
                '/public/' <module> '/',

<module> ':r') any GET or HEAD requests to paths relative to
               <storage_root> that start with
               '/' <module> '/' or '/public/' <module> '/',