[Openid-specs-fapi] Issue #138: Question: Is including openid in the scope required? (openid/fapi)
Kengo Suzuki
issues-reply at bitbucket.org
Sat Apr 7 10:35:44 UTC 2018
New issue 138: Question: Is including openid in the scope required?
https://bitbucket.org/openid/fapi/issues/138/question-is-including-openid-in-the-scope
Kengo Suzuki:
Correct me if i'm wrong where and how raising this issue related to the question.
( I have signed and sent Contribution Agreement)
I am reading "Financial API - Part 1" and not being so sure about the scope specification in Authorization Server.
First, sec5.2.3 requires a Public Client to `include openid in the scope value`.
Then, sec5.2.4 requires a Confidential Client to do `In addition to the provisions for a Public Client, except for [RFC7636] support,...`
So I think this makes a authorization request must include `openid` in the scope no matter what client type is being used.
However, sec5.2.2 state Authorization Server is only required to issue an ID token `when openid was included in the requested scope`. So as a reader, I was a bit confused because I interpreted it as if there is a case when scope does not require `openid`.
So what I want to send pull request is to remove the line `when openid was included in the requested scope as in Section 3.1.3.3 of [OIDC]` from 5.2.2-24, but before that I want to makes sure if that's a right idea. It will provide a solid understanding to readers.
Or could it be correct to add `including openid for scope` after `In addition to the provisions for a Public Client, except for [RFC7636] support, a Confidential Client` in sec5.2.4?
Thanks!
More information about the Openid-specs-fapi
mailing list