[Openid-specs-ab] Behavior if the scope parameter is omitted

Mike Jones Michael.Jones at microsoft.com
Wed Jan 30 22:16:56 UTC 2013

This is probably a bug that we should consider during Thursday call, as we shouldn't be trying to say what OAuth systems do when not using OpenID Connect.  Can you file an issue saying that for us to consider tomorrow?

                                                                -- Mike

From: Amanda Anganes [mailto:aanganes at mitre.org]
Sent: Wednesday, January 30, 2013 2:15 PM
To: Mike Jones
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Behavior if the scope parameter is omitted

But, Messages does specify what to do if the "openid" scope value is not present: "If the openid scope value is not present, the request MUST NOT be treated as an OpenID Connect request" [ http://openid.net/specs/openid-connect-messages-1_0.html#scopes]. That section does not say anything about defaults if no scope is sent, but it sounds to me like a request sent with *no* scope at all would fall under that umbrella, and MUST NOT be treated as an OpenID Connect request.

On 01/30/2013 05:07 PM, Mike Jones wrote:
Technically, the Connect specs are silent on what should happen if the "openid" scope value isn't present.  The server could do anything that it and its clients decide to do (including behaving as if the "openid" scope value were present).  Omitting it isn't a good practice, however.

                                                                -- Mike

From: openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Amanda Anganes
Sent: Wednesday, January 30, 2013 2:01 PM
To: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: [Openid-specs-ab] Behavior if the scope parameter is omitted

The OAuth 2.0 Specification, in section 3.3, says the following [1]:

If the client omits the scope parameter when requesting
   authorization, the authorization server MUST either process the
   request using a pre-defined default value or fail the request
   indicating an invalid scope.  The authorization server SHOULD
   document its scope requirements and default value (if defined).

Messages section 2.4 [2] does not give any additional guidance about what to do if the client does not specify a scope value when making a request; however, it does indicate that the "openid" scope value MUST be included for the request to be treated as an OpenID Connect request (rather than an OAuth 2.0 request).

What is the server required/allowed to do if the client omits to send the scope parameter? Does that MUST disallow an OIDC server from defaulting a non-scoped request to include the "openid" scope?

[1] http://tools.ietf.org/html/rfc6749#section-3.3
[2] http://openid.net/specs/openid-connect-messages-1_0.html#scopes


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130130/445285b3/attachment.html>

More information about the Openid-specs-ab mailing list