[Openid-specs-ab] Behavior if the scope parameter is omitted

Nat Sakimura sakimura at gmail.com
Thu Jan 31 03:34:01 UTC 2013


At the same time, though, as a best practice, we could recommend "openid"
be the first in the list of scopes, I guess, perhaps in a "Note:".

Nat

2013/1/31 Mike Jones <Michael.Jones at microsoft.com>

> http://openid.net/specs/openid-connect-messages-1_0.html#scopes,
> http://openid.net/specs/openid-connect-basic-1_0.html#scopes, and
> http://openid.net/specs/openid-connect-implicit-1_0.html#scopes  -
> "openid" scope is REQUIRED.  Pretty unambiguous.
>
> We don't say that it should be first, since OAuth says that they're
> order-independent.
>
>                                 -- Mike
>
> -----Original Message-----
> From: Tim Bray [mailto:tbray at textuality.com]
> Sent: Wednesday, January 30, 2013 2:15 PM
> To: Mike Jones
> Cc: Amanda Anganes; openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] Behavior if the scope parameter is omitted
>
> Coincidentally I was just arguing with an implementer here who was being
> sloppy about leaving out the "openid..." in the scope, and I was wishing
> there were unambiguous language saying that "scope MUST be present and MUST
> begin with the token 'openid'", that I could use to beat this person over
> the head. Seems like that's what any sane person would do anyhow. -T
>
> On Wed, Jan 30, 2013 at 2:07 PM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
> > Technically, the Connect specs are silent on what should happen if the
> > "openid" scope value isn't present.  The server could do anything that
> > it and its clients decide to do (including behaving as if the "openid"
> > scope value were present).  Omitting it isn't a good practice, however.
> >
> >
> >
> >                                                                 --
> > Mike
> >
> >
> >
> > From: openid-specs-ab-bounces at lists.openid.net
> > [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Amanda
> > Anganes
> > Sent: Wednesday, January 30, 2013 2:01 PM
> > To: openid-specs-ab at lists.openid.net
> > Subject: [Openid-specs-ab] Behavior if the scope parameter is omitted
> >
> >
> >
> > The OAuth 2.0 Specification, in section 3.3, says the following [1]:
> >
> > If the client omits the scope parameter when requesting
> >    authorization, the authorization server MUST either process the
> >    request using a pre-defined default value or fail the request
> >    indicating an invalid scope.  The authorization server SHOULD
> >    document its scope requirements and default value (if defined).
> >
> > Messages section 2.4 [2] does not give any additional guidance about
> > what to do if the client does not specify a scope value when making a
> > request; however, it does indicate that the "openid" scope value MUST
> > be included for the request to be treated as an OpenID Connect request
> > (rather than an OAuth
> > 2.0 request).
> >
> > What is the server required/allowed to do if the client omits to send
> > the scope parameter? Does that MUST disallow an OIDC server from
> > defaulting a non-scoped request to include the "openid" scope?
> >
> > [1] http://tools.ietf.org/html/rfc6749#section-3.3
> > [2] http://openid.net/specs/openid-connect-messages-1_0.html#scopes
> >
> > --Amanda
> >
> >
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
> >
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130131/b99df7e5/attachment.html>


More information about the Openid-specs-ab mailing list