[Openid-specs-mobile-profile] Question: mandatory vs Optional Scopes

Engan, Michael Michael.Engan1 at T-Mobile.com
Wed Aug 29 17:51:39 UTC 2018

We have has requests from marketing teams to review SP's being able to define scopes as optional vs mandatory.

Today our assumptions are the scopes requested in an openid connect request are optional. If the SP for instance askes for
Scopes=(openid email phone)  the user could select/deselect email or phone.

Instead of the SP having to give the user an error that the user can't proceed because one of the attributes was not provided, the SP could instead ask for a failed authentication for any scope being de-selected.

Is this a feature/experience that has come up with anyone else before?
Is there any suggestion in how to support this without doing something too far off spec?

Michael Engan
Principal Systems Architect,
Authentication, Authorization, & API security
12920 SE 38th Street | Bellevue, WA 98006
Direct 425-383-2268 | Mobile 425-443-3463

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180829/2293b817/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list