[Openid-specs-fapi] Issue #138: Question: Is including openid in the scope required? (openid/fapi)

[Kengo Suzuki]

New issue 138: Question: Is including openid in the scope required?
https://bitbucket.org/openid/fapi/issues/138/question-is-including-openid-in-the-scope

Kengo Suzuki:

Correct me if i'm wrong where and how raising this issue related to the question.
( I have signed and sent Contribution Agreement)

I am reading "Financial API - Part 1" and not being so sure about the scope specification in Authorization Server.

First, sec5.2.3 requires a Public Client to `include openid in the scope value`.
Then, sec5.2.4 requires a Confidential Client to do `In addition to the provisions for a Public Client, except for [RFC7636] support,...`

So I think this makes a authorization request must include `openid` in the scope no matter what client type is being used.  

However, sec5.2.2 state Authorization Server is only required to issue an ID token `when openid was included in the requested scope`.  So as a reader, I was a bit confused because I interpreted it as if there is a case when scope does not require `openid`.

So what I want to send pull request is to remove the line  `when openid was included in the requested scope as in Section 3.1.3.3 of [OIDC]` from 5.2.2-24, but before that I want to makes sure if that's a right idea. It will provide a solid understanding to readers.

Or could it be correct to add `including openid for scope` after `In addition to the provisions for a Public Client, except for [RFC7636] support, a Confidential Client` in sec5.2.4?

Thanks!