[Openid-specs-ab] [openid/connect] Behavior if scope parameter is omitted from authorization request (issue #738)

Amanda_Anganes issues-reply at bitbucket.org
Wed Jan 30 22:23:54 UTC 2013

--- you can reply above this line ---

New issue 738: Behavior if scope parameter is omitted from authorization request


The OAuth 2.0 Specification, in section 3.3, says the following [1]:

If the client omits the scope parameter when requesting
   authorization, the authorization server MUST either process the
   request using a pre-defined default value or fail the request
   indicating an invalid scope.  The authorization server SHOULD
   document its scope requirements and default value (if defined).

Regarding scopes, Messages 2.4 says that the "openid" scope is REQUIRED: "If the openid scope value is not present, the request MUST NOT be treated as an OpenID Connect request"[2]. 

If the scope parameter is omitted entirely, what is an OIDC server allowed/required to do? The requirement in Messages seems to indicate that a server may not default a non-scoped request to include the "openid" scope. 


This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.

More information about the Openid-specs-ab mailing list