<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Done, I filed #738
    <meta http-equiv="content-type" content="text/html;
      charset=ISO-8859-1">
    <a
href="http://hg.openid.net/connect/issue/738/behavior-if-scope-parameter-is-omitted">http://hg.openid.net/connect/issue/738/behavior-if-scope-parameter-is-omitted</a>
    to track this issue. <br>
    <br>
    --Amanda<br>
    <br>
    <div class="moz-cite-prefix">On 01/30/2013 05:16 PM, Mike Jones
      wrote:<br>
    </div>
    <blockquote
cite="mid:4E1F6AAD24975D4BA5B1680429673943673EBDD4@TK5EX14MBXC284.redmond.corp.microsoft.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";
        color:black;}
span.EmailStyle17
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";
        color:black;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">This
            is probably a bug that we should consider during Thursday
            call, as we shouldn’t be trying to say what OAuth systems do
            when not using OpenID Connect.  Can you file an issue saying
            that for us to consider tomorrow?<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">                                                               
            -- Mike<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #B5C4DF
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
                Amanda Anganes [<a class="moz-txt-link-freetext" href="mailto:aanganes@mitre.org">mailto:aanganes@mitre.org</a>]
                <br>
                <b>Sent:</b> Wednesday, January 30, 2013 2:15 PM<br>
                <b>To:</b> Mike Jones<br>
                <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
                <b>Subject:</b> Re: [Openid-specs-ab] Behavior if the
                scope parameter is omitted<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal" style="margin-bottom:12.0pt">But, Messages
          does specify what to do if the "openid" scope value is not
          present: "If the openid scope value is not present, the
          request MUST NOT be treated as an OpenID Connect request" [
          <a moz-do-not-send="true"
            href="http://openid.net/specs/openid-connect-messages-1_0.html#scopes">http://openid.net/specs/openid-connect-messages-1_0.html#scopes</a>].
          That section does not say anything about defaults if no scope
          is sent, but it sounds to me like a request sent with *no*
          scope at all would fall under that umbrella, and MUST NOT be
          treated as an OpenID Connect request.
          <br>
          <br>
          --Amanda<o:p></o:p></p>
        <div>
          <p class="MsoNormal">On 01/30/2013 05:07 PM, Mike Jones wrote:<o:p></o:p></p>
        </div>
        <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
          <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Technically,
              the Connect specs are silent on what should happen if the
              “openid” scope value isn’t present.  The server could do
              anything that it and its clients decide to do (including
              behaving as if the “openid” scope value were present). 
              Omitting it isn’t a good practice, however.</span><o:p></o:p></p>
          <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
          <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">                                                               
              -- Mike</span><o:p></o:p></p>
          <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
          <div>
            <div style="border:none;border-top:solid #B5C4DF
              1.0pt;padding:3.0pt 0in 0in 0in">
              <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
                  <a moz-do-not-send="true"
                    href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a>
                  [<a moz-do-not-send="true"
                    href="mailto:openid-specs-ab-bounces@lists.openid.net">mailto:openid-specs-ab-bounces@lists.openid.net</a>]
                  <b>On Behalf Of </b>Amanda Anganes<br>
                  <b>Sent:</b> Wednesday, January 30, 2013 2:01 PM<br>
                  <b>To:</b> <a moz-do-not-send="true"
                    href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
                  <b>Subject:</b> [Openid-specs-ab] Behavior if the
                  scope parameter is omitted</span><o:p></o:p></p>
            </div>
          </div>
          <p class="MsoNormal"> <o:p></o:p></p>
          <p class="MsoNormal">The OAuth 2.0 Specification, in section
            3.3, says the following [1]:<br>
            <br>
            If the client omits the scope parameter when requesting<br>
               authorization, the authorization server MUST either
            process the<br>
               request using a pre-defined default value or fail the
            request<br>
               indicating an invalid scope.  The authorization server
            SHOULD<br>
               document its scope requirements and default value (if
            defined).<br>
            <br>
            Messages section 2.4 [2] does not give any additional
            guidance about what to do if the client does not specify a
            scope value when making a request; however, it does indicate
            that the "openid" scope value MUST be included for the
            request to be treated as an OpenID Connect request (rather
            than an OAuth 2.0 request). <br>
            <br>
            What is the server required/allowed to do if the client
            omits to send the scope parameter? Does that MUST disallow
            an OIDC server from defaulting a non-scoped request to
            include the "openid" scope?
            <br>
            <br>
            [1] <a moz-do-not-send="true"
              href="http://tools.ietf.org/html/rfc6749#section-3.3">http://tools.ietf.org/html/rfc6749#section-3.3</a><br>
            [2] <a moz-do-not-send="true"
              href="http://openid.net/specs/openid-connect-messages-1_0.html#scopes">http://openid.net/specs/openid-connect-messages-1_0.html#scopes</a><br>
            <br>
            --Amanda<o:p></o:p></p>
        </blockquote>
        <p class="MsoNormal"><o:p> </o:p></p>
      </div>
    </blockquote>
    <br>
  </body>
</html>