[Openid-specs-ab] Behavior if the scope parameter is omitted

[Mike Jones]

Technically, the Connect specs are silent on what should happen if the "openid" scope value isn't present.  The server could do anything that it and its clients decide to do (including behaving as if the "openid" scope value were present).  Omitting it isn't a good practice, however.

                                                                -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Amanda Anganes
Sent: Wednesday, January 30, 2013 2:01 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Behavior if the scope parameter is omitted

The OAuth 2.0 Specification, in section 3.3, says the following [1]:

If the client omits the scope parameter when requesting
   authorization, the authorization server MUST either process the
   request using a pre-defined default value or fail the request
   indicating an invalid scope.  The authorization server SHOULD
   document its scope requirements and default value (if defined).

Messages section 2.4 [2] does not give any additional guidance about what to do if the client does not specify a scope value when making a request; however, it does indicate that the "openid" scope value MUST be included for the request to be treated as an OpenID Connect request (rather than an OAuth 2.0 request).

What is the server required/allowed to do if the client omits to send the scope parameter? Does that MUST disallow an OIDC server from defaulting a non-scoped request to include the "openid" scope?

[1] http://tools.ietf.org/html/rfc6749#section-3.3
[2] http://openid.net/specs/openid-connect-messages-1_0.html#scopes

--Amanda
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130130/bef5c396/attachment.html>