[Openid-specs-ab] Behavior if the scope parameter is omitted

Amanda Anganes aanganes at mitre.org
Wed Jan 30 22:25:28 UTC 2013

Done, I filed #738 
to track this issue.


On 01/30/2013 05:16 PM, Mike Jones wrote:
> This is probably a bug that we should consider during Thursday call, 
> as we shouldn't be trying to say what OAuth systems do when not using 
> OpenID Connect.  Can you file an issue saying that for us to consider 
> tomorrow?
> -- Mike
> *From:*Amanda Anganes [mailto:aanganes at mitre.org]
> *Sent:* Wednesday, January 30, 2013 2:15 PM
> *To:* Mike Jones
> *Cc:* openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] Behavior if the scope parameter is 
> omitted
> But, Messages does specify what to do if the "openid" scope value is 
> not present: "If the openid scope value is not present, the request 
> MUST NOT be treated as an OpenID Connect request" [ 
> http://openid.net/specs/openid-connect-messages-1_0.html#scopes]. That 
> section does not say anything about defaults if no scope is sent, but 
> it sounds to me like a request sent with *no* scope at all would fall 
> under that umbrella, and MUST NOT be treated as an OpenID Connect 
> request.
> --Amanda
> On 01/30/2013 05:07 PM, Mike Jones wrote:
>     Technically, the Connect specs are silent on what should happen if
>     the "openid" scope value isn't present.  The server could do
>     anything that it and its clients decide to do (including behaving
>     as if the "openid" scope value were present). Omitting it isn't a
>     good practice, however.
>     -- Mike
>     *From:*openid-specs-ab-bounces at lists.openid.net
>     <mailto:openid-specs-ab-bounces at lists.openid.net>
>     [mailto:openid-specs-ab-bounces at lists.openid.net] *On Behalf Of
>     *Amanda Anganes
>     *Sent:* Wednesday, January 30, 2013 2:01 PM
>     *To:* openid-specs-ab at lists.openid.net
>     <mailto:openid-specs-ab at lists.openid.net>
>     *Subject:* [Openid-specs-ab] Behavior if the scope parameter is
>     omitted
>     The OAuth 2.0 Specification, in section 3.3, says the following [1]:
>     If the client omits the scope parameter when requesting
>        authorization, the authorization server MUST either process the
>        request using a pre-defined default value or fail the request
>        indicating an invalid scope.  The authorization server SHOULD
>        document its scope requirements and default value (if defined).
>     Messages section 2.4 [2] does not give any additional guidance
>     about what to do if the client does not specify a scope value when
>     making a request; however, it does indicate that the "openid"
>     scope value MUST be included for the request to be treated as an
>     OpenID Connect request (rather than an OAuth 2.0 request).
>     What is the server required/allowed to do if the client omits to
>     send the scope parameter? Does that MUST disallow an OIDC server
>     from defaulting a non-scoped request to include the "openid" scope?
>     [1] http://tools.ietf.org/html/rfc6749#section-3.3
>     [2] http://openid.net/specs/openid-connect-messages-1_0.html#scopes
>     --Amanda

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130130/e5a352bb/attachment.html>

More information about the Openid-specs-ab mailing list