[Openid-specs-ab] Interaction between OIDC Registration and RFC7591
jricher at mit.edu
Thu Oct 13 11:51:00 UTC 2016
We've come across an interesting interaction between related specs.
Our client software requests a "scope" value as part of its client
metadata, as defined in RFC7591. The OIDC Registration spec does not
define this metadata value, but of course allows it as an extension. Our
server accepts this value as well.
We're testing against a server implementation that ignores the incoming
"scope" metadata request entirely, since it's not explicitly listed in
the OIDC Registration specification. Part of this ignoring process is
that the server returns a registration object back to the client that
omits the "scope" value. Our client, following the advice in RFC7591 and
the OIDC Registration spec both, takes this response from the server to
mean that it doesn't have a registered scope set with the server. This
consequently causes our client to not send a "scope" value in the
authorization request, which causes the server to fail because the
"scope" is required.
I think the right solution to this is to revise the OIDC Registration
specification to be a normative extension of RFC7591/RFC7592, as has
been discussed previously on this list and, to my recollection,
generally agreed on but not acted on yet. Software statements and other
enhancements that are in RFC7591 would also be available as options
without further effort.
In practice, most implementations that I've seen already mix the two
specifications. This is the intended effect of having wire
compatibility, of course. Changing the spec would align it better with
reality, and help avoid cases like this one where strict interpretation
leads to lack of interoperability.
More information about the Openid-specs-ab