<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Technically, the Connect specs are silent on what should happen if the “openid” scope value isn’t present.  The server could do anything that it and its clients
 decide to do (including behaving as if the “openid” scope value were present).  Omitting it isn’t a good practice, however.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">                                                                -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> openid-specs-ab-bounces@lists.openid.net [mailto:openid-specs-ab-bounces@lists.openid.net]
<b>On Behalf Of </b>Amanda Anganes<br>
<b>Sent:</b> Wednesday, January 30, 2013 2:01 PM<br>
<b>To:</b> openid-specs-ab@lists.openid.net<br>
<b>Subject:</b> [Openid-specs-ab] Behavior if the scope parameter is omitted<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The OAuth 2.0 Specification, in section 3.3, says the following [1]:<br>
<br>
If the client omits the scope parameter when requesting<br>
   authorization, the authorization server MUST either process the<br>
   request using a pre-defined default value or fail the request<br>
   indicating an invalid scope.  The authorization server SHOULD<br>
   document its scope requirements and default value (if defined).<br>
<br>
Messages section 2.4 [2] does not give any additional guidance about what to do if the client does not specify a scope value when making a request; however, it does indicate that the "openid" scope value MUST be included for the request to be treated as an
 OpenID Connect request (rather than an OAuth 2.0 request). <br>
<br>
What is the server required/allowed to do if the client omits to send the scope parameter? Does that MUST disallow an OIDC server from defaulting a non-scoped request to include the "openid" scope?
<br>
<br>
[1] <a href="http://tools.ietf.org/html/rfc6749#section-3.3">http://tools.ietf.org/html/rfc6749#section-3.3</a><br>
[2] <a href="http://openid.net/specs/openid-connect-messages-1_0.html#scopes">http://openid.net/specs/openid-connect-messages-1_0.html#scopes</a><br>
<br>
--Amanda<o:p></o:p></p>
</div>
</body>
</html>