<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Done, I filed #738
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<a
href="http://hg.openid.net/connect/issue/738/behavior-if-scope-parameter-is-omitted">http://hg.openid.net/connect/issue/738/behavior-if-scope-parameter-is-omitted</a>
to track this issue. <br>
<br>
--Amanda<br>
<br>
<div class="moz-cite-prefix">On 01/30/2013 05:16 PM, Mike Jones
wrote:<br>
</div>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B1680429673943673EBDD4@TK5EX14MBXC284.redmond.corp.microsoft.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">This
is probably a bug that we should consider during Thursday
call, as we shouldn’t be trying to say what OAuth systems do
when not using OpenID Connect. Can you file an issue saying
that for us to consider tomorrow?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
-- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Amanda Anganes [<a class="moz-txt-link-freetext" href="mailto:aanganes@mitre.org">mailto:aanganes@mitre.org</a>]
<br>
<b>Sent:</b> Wednesday, January 30, 2013 2:15 PM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] Behavior if the
scope parameter is omitted<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">But, Messages
does specify what to do if the "openid" scope value is not
present: "If the openid scope value is not present, the
request MUST NOT be treated as an OpenID Connect request" [
<a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-messages-1_0.html#scopes">http://openid.net/specs/openid-connect-messages-1_0.html#scopes</a>].
That section does not say anything about defaults if no scope
is sent, but it sounds to me like a request sent with *no*
scope at all would fall under that umbrella, and MUST NOT be
treated as an OpenID Connect request.
<br>
<br>
--Amanda<o:p></o:p></p>
<div>
<p class="MsoNormal">On 01/30/2013 05:07 PM, Mike Jones wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Technically,
the Connect specs are silent on what should happen if the
“openid” scope value isn’t present. The server could do
anything that it and its clients decide to do (including
behaving as if the “openid” scope value were present).
Omitting it isn’t a good practice, however.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
-- Mike</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a moz-do-not-send="true"
href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a>
[<a moz-do-not-send="true"
href="mailto:openid-specs-ab-bounces@lists.openid.net">mailto:openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Amanda Anganes<br>
<b>Sent:</b> Wednesday, January 30, 2013 2:01 PM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> [Openid-specs-ab] Behavior if the
scope parameter is omitted</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The OAuth 2.0 Specification, in section
3.3, says the following [1]:<br>
<br>
If the client omits the scope parameter when requesting<br>
authorization, the authorization server MUST either
process the<br>
request using a pre-defined default value or fail the
request<br>
indicating an invalid scope. The authorization server
SHOULD<br>
document its scope requirements and default value (if
defined).<br>
<br>
Messages section 2.4 [2] does not give any additional
guidance about what to do if the client does not specify a
scope value when making a request; however, it does indicate
that the "openid" scope value MUST be included for the
request to be treated as an OpenID Connect request (rather
than an OAuth 2.0 request). <br>
<br>
What is the server required/allowed to do if the client
omits to send the scope parameter? Does that MUST disallow
an OIDC server from defaulting a non-scoped request to
include the "openid" scope?
<br>
<br>
[1] <a moz-do-not-send="true"
href="http://tools.ietf.org/html/rfc6749#section-3.3">http://tools.ietf.org/html/rfc6749#section-3.3</a><br>
[2] <a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-messages-1_0.html#scopes">http://openid.net/specs/openid-connect-messages-1_0.html#scopes</a><br>
<br>
--Amanda<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>