[Openid-specs-fapi] FAPI Profile and openid scope value

[Torsten Lodderstedt]

Hi all,

the "Read and Write API Security Profile" mandates the AS to use response type values "code id_token" or "code id_token token“ meaning an ID Token is provided in any case. In my understanding ID Token is primarily used to further secure the interaction, e.g. by providing the client with an iss claim used to detect mix-up.

Is it possible for the RP to use this functionality without the „openid" scope value? The reason I’m asking is I would like to let a RP/client differentiate use cases where it just wants to obtain an access token for API access but is not interested in the user id and use cases where the same client (now as RP) wants to obtain user id and further claims. Using the scope value „openid“ to differentiate those use cases seams straightforward to me. Otherwise the RP would need to use two different client ids with different sub claim policies for the different use cases, which most likely will cause complexity in the AS/OP's consent handling as I assume the RP would like to be the same legal entity in both cases.  

Thoughts? 

kind regards,
Torsten. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3872 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180728/ff78c69d/attachment.p7s>