[Openid-specs-ab] Behavior if the scope parameter is omitted

Mike Jones Michael.Jones at microsoft.com
Wed Jan 30 22:20:20 UTC 2013

http://openid.net/specs/openid-connect-messages-1_0.html#scopes, http://openid.net/specs/openid-connect-basic-1_0.html#scopes, and http://openid.net/specs/openid-connect-implicit-1_0.html#scopes  - "openid" scope is REQUIRED.  Pretty unambiguous.

We don't say that it should be first, since OAuth says that they're order-independent.

				-- Mike

-----Original Message-----
From: Tim Bray [mailto:tbray at textuality.com] 
Sent: Wednesday, January 30, 2013 2:15 PM
To: Mike Jones
Cc: Amanda Anganes; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Behavior if the scope parameter is omitted

Coincidentally I was just arguing with an implementer here who was being sloppy about leaving out the "openid..." in the scope, and I was wishing there were unambiguous language saying that "scope MUST be present and MUST begin with the token 'openid'", that I could use to beat this person over the head. Seems like that's what any sane person would do anyhow. -T

On Wed, Jan 30, 2013 at 2:07 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> Technically, the Connect specs are silent on what should happen if the 
> "openid" scope value isn't present.  The server could do anything that 
> it and its clients decide to do (including behaving as if the "openid" 
> scope value were present).  Omitting it isn't a good practice, however.
>                                                                 -- 
> Mike
> From: openid-specs-ab-bounces at lists.openid.net
> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Amanda 
> Anganes
> Sent: Wednesday, January 30, 2013 2:01 PM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] Behavior if the scope parameter is omitted
> The OAuth 2.0 Specification, in section 3.3, says the following [1]:
> If the client omits the scope parameter when requesting
>    authorization, the authorization server MUST either process the
>    request using a pre-defined default value or fail the request
>    indicating an invalid scope.  The authorization server SHOULD
>    document its scope requirements and default value (if defined).
> Messages section 2.4 [2] does not give any additional guidance about 
> what to do if the client does not specify a scope value when making a 
> request; however, it does indicate that the "openid" scope value MUST 
> be included for the request to be treated as an OpenID Connect request 
> (rather than an OAuth
> 2.0 request).
> What is the server required/allowed to do if the client omits to send 
> the scope parameter? Does that MUST disallow an OIDC server from 
> defaulting a non-scoped request to include the "openid" scope?
> [1] http://tools.ietf.org/html/rfc6749#section-3.3
> [2] http://openid.net/specs/openid-connect-messages-1_0.html#scopes
> --Amanda
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list