[Openid-specs-mobile-profile] [E] Question: mandatory vs Optional Scopes

[Hjelm, Bjorn]

The RP would state that a given "claim" is essential but would require the OP to support the claims parameter<http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter>. It's worth noting that the "claims_parameter_supported Discovery result indicates whether the OP supports this parameter."

In talking to George, the general practice in a use case like this (where the RP asks for a set of attributes and the user choses to not provide them) that the RP would ask the user directly for those attributes if they are required.

BR,
Bjorn

From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Engan, Michael
Sent: Wednesday, August 29, 2018 10:52 AM
To: openid-specs-mobile-profile at lists.openid.net; Hjelm, Bjorn
Cc: GORHAM, MARIA C
Subject: [E] [Openid-specs-mobile-profile] Question: mandatory vs Optional Scopes

We have has requests from marketing teams to review SP's being able to define scopes as optional vs mandatory.

Today our assumptions are the scopes requested in an openid connect request are optional. If the SP for instance askes for
Scopes=(openid email phone)  the user could select/deselect email or phone.

Instead of the SP having to give the user an error that the user can't proceed because one of the attributes was not provided, the SP could instead ask for a failed authentication for any scope being de-selected.

Is this a feature/experience that has come up with anyone else before?
Is there any suggestion in how to support this without doing something too far off spec?



Michael Engan
Principal Systems Architect,
Authentication, Authorization, & API security
12920 SE 38th Street | Bellevue, WA 98006
Direct 425-383-2268 | Mobile 425-443-3463

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180829/2fb49928/attachment.html>