[Openid-specs-ab] Behavior if the scope parameter is omitted

Amanda Anganes aanganes at mitre.org
Wed Jan 30 22:01:06 UTC 2013

The OAuth 2.0 Specification, in section 3.3, says the following [1]:

If the client omits the scope parameter when requesting
    authorization, the authorization server MUST either process the
    request using a pre-defined default value or fail the request
    indicating an invalid scope.  The authorization server SHOULD
    document its scope requirements and default value (if defined).

Messages section 2.4 [2] does not give any additional guidance about 
what to do if the client does not specify a scope value when making a 
request; however, it does indicate that the "openid" scope value MUST be 
included for the request to be treated as an OpenID Connect request 
(rather than an OAuth 2.0 request).

What is the server required/allowed to do if the client omits to send 
the scope parameter? Does that MUST disallow an OIDC server from 
defaulting a non-scoped request to include the "openid" scope?

[1] http://tools.ietf.org/html/rfc6749#section-3.3
[2] http://openid.net/specs/openid-connect-messages-1_0.html#scopes

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130130/8b69ae98/attachment.html>

More information about the Openid-specs-ab mailing list