[Openid-specs-ab] Behavior if the scope parameter is omitted
Amanda Anganes
aanganes at mitre.org
Wed Jan 30 22:01:06 UTC 2013
The OAuth 2.0 Specification, in section 3.3, says the following [1]:
If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).
Messages section 2.4 [2] does not give any additional guidance about
what to do if the client does not specify a scope value when making a
request; however, it does indicate that the "openid" scope value MUST be
included for the request to be treated as an OpenID Connect request
(rather than an OAuth 2.0 request).
What is the server required/allowed to do if the client omits to send
the scope parameter? Does that MUST disallow an OIDC server from
defaulting a non-scoped request to include the "openid" scope?
[1] http://tools.ietf.org/html/rfc6749#section-3.3
[2] http://openid.net/specs/openid-connect-messages-1_0.html#scopes
--Amanda
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130130/8b69ae98/attachment.html>
More information about the Openid-specs-ab
mailing list