[Openid-specs-ab] [openid/connect] Behavior if scope parameter is omitted from authorization request (issue #738)
Amanda_Anganes
issues-reply at bitbucket.org
Wed Jan 30 22:23:54 UTC 2013
--- you can reply above this line ---
New issue 738: Behavior if scope parameter is omitted from authorization request
https://bitbucket.org/openid/connect/issue/738/behavior-if-scope-parameter-is-omitted
Amanda_Anganes:
The OAuth 2.0 Specification, in section 3.3, says the following [1]:
If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).
Regarding scopes, Messages 2.4 says that the "openid" scope is REQUIRED: "If the openid scope value is not present, the request MUST NOT be treated as an OpenID Connect request"[2].
If the scope parameter is omitted entirely, what is an OIDC server allowed/required to do? The requirement in Messages seems to indicate that a server may not default a non-scoped request to include the "openid" scope.
--
This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.
More information about the Openid-specs-ab
mailing list