[Openid-specs-ab] Behavior if the scope parameter is omitted

Amanda Anganes aanganes at mitre.org
Wed Jan 30 22:15:20 UTC 2013


But, Messages does specify what to do if the "openid" scope value is not 
present: "If the openid scope value is not present, the request MUST NOT 
be treated as an OpenID Connect request" [ 
http://openid.net/specs/openid-connect-messages-1_0.html#scopes]. That 
section does not say anything about defaults if no scope is sent, but it 
sounds to me like a request sent with *no* scope at all would fall under 
that umbrella, and MUST NOT be treated as an OpenID Connect request.

--Amanda

On 01/30/2013 05:07 PM, Mike Jones wrote:
>
> Technically, the Connect specs are silent on what should happen if the 
> "openid" scope value isn't present.  The server could do anything that 
> it and its clients decide to do (including behaving as if the "openid" 
> scope value were present). Omitting it isn't a good practice, however.
>
> -- Mike
>
> *From:*openid-specs-ab-bounces at lists.openid.net 
> [mailto:openid-specs-ab-bounces at lists.openid.net] *On Behalf Of 
> *Amanda Anganes
> *Sent:* Wednesday, January 30, 2013 2:01 PM
> *To:* openid-specs-ab at lists.openid.net
> *Subject:* [Openid-specs-ab] Behavior if the scope parameter is omitted
>
> The OAuth 2.0 Specification, in section 3.3, says the following [1]:
>
> If the client omits the scope parameter when requesting
>    authorization, the authorization server MUST either process the
>    request using a pre-defined default value or fail the request
>    indicating an invalid scope.  The authorization server SHOULD
>    document its scope requirements and default value (if defined).
>
> Messages section 2.4 [2] does not give any additional guidance about 
> what to do if the client does not specify a scope value when making a 
> request; however, it does indicate that the "openid" scope value MUST 
> be included for the request to be treated as an OpenID Connect request 
> (rather than an OAuth 2.0 request).
>
> What is the server required/allowed to do if the client omits to send 
> the scope parameter? Does that MUST disallow an OIDC server from 
> defaulting a non-scoped request to include the "openid" scope?
>
> [1] http://tools.ietf.org/html/rfc6749#section-3.3
> [2] http://openid.net/specs/openid-connect-messages-1_0.html#scopes
>
> --Amanda
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130130/af006b04/attachment-0001.html>


More information about the Openid-specs-ab mailing list