[Openid-specs-ab] Behavior if the scope parameter is omitted

John Bradley ve7jtb at ve7jtb.com
Wed Jan 30 22:34:24 UTC 2013

The idea and I thought we were clear on it , was that we don't want to preclude a OAuth AS from serving any other OAuth scopes defined in any way the AS likes.

The if the openid scope is not there then the server can do as it likes.  Thet could be doing connect I suppose though for interoperability sake I wouldn't tell the clients that.

With the openid scope you are guaranteed certain processing that is not part of OAuth.

The language that the server must not do connect if the scope is not there was intended to warn clients and not strictly preclude servers from  doing whatever they like if they are not claiming to be doing connect.

So if there are no scopes the server is free to treat it as anything it likes including Connect, but I don't think that is a good practice for clients who will find themselves breaking on some sites.

John B.
On 2013-01-30, at 7:14 PM, Tim Bray <tbray at textuality.com> wrote:

> Coincidentally I was just arguing with an implementer here who was
> being sloppy about leaving out the "openid..." in the scope, and I was
> wishing there were unambiguous language saying that "scope MUST be
> present and MUST begin with the token 'openid'", that I could use to
> beat this person over the head. Seems like that's what any sane person
> would do anyhow. -T
> On Wed, Jan 30, 2013 at 2:07 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
>> Technically, the Connect specs are silent on what should happen if the
>> “openid” scope value isn’t present.  The server could do anything that it
>> and its clients decide to do (including behaving as if the “openid” scope
>> value were present).  Omitting it isn’t a good practice, however.
>>                                                                -- Mike
>> From: openid-specs-ab-bounces at lists.openid.net
>> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Amanda
>> Anganes
>> Sent: Wednesday, January 30, 2013 2:01 PM
>> To: openid-specs-ab at lists.openid.net
>> Subject: [Openid-specs-ab] Behavior if the scope parameter is omitted
>> The OAuth 2.0 Specification, in section 3.3, says the following [1]:
>> If the client omits the scope parameter when requesting
>>   authorization, the authorization server MUST either process the
>>   request using a pre-defined default value or fail the request
>>   indicating an invalid scope.  The authorization server SHOULD
>>   document its scope requirements and default value (if defined).
>> Messages section 2.4 [2] does not give any additional guidance about what to
>> do if the client does not specify a scope value when making a request;
>> however, it does indicate that the "openid" scope value MUST be included for
>> the request to be treated as an OpenID Connect request (rather than an OAuth
>> 2.0 request).
>> What is the server required/allowed to do if the client omits to send the
>> scope parameter? Does that MUST disallow an OIDC server from defaulting a
>> non-scoped request to include the "openid" scope?
>> [1] http://tools.ietf.org/html/rfc6749#section-3.3
>> [2] http://openid.net/specs/openid-connect-messages-1_0.html#scopes
>> --Amanda
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list