[Openid-specs-ab] SCOPE not selectable

[Justin Richer]

The optionality and deselection of scopes is the purview of the IdP and its security policies. Some implementations of OIDC allow the user to deselect scopes (MITREid Connect, which I work on, does for instance) while others only allow for an overall yes/no approval (Google is like this, for instance). 

The previous version of OpenID tried to have “optional’ and “required” information sets with SREG and AX, but in both of these cases, RP’s just sent everything as “required”. The optionality was completely ignored in practice, and I suspect it would be again.

In OAuth and OIDC, if the client doesn’t get the scopes it wants, it can ask again until the user gives up trying to make it work.

 — Justin

> On Aug 17, 2015, at 12:34 PM, Preibisch, Sascha H <Sascha.Preibisch at ca.com> wrote:
> 
> Hi!
> 
> It may be an old topic but on the weekend I got a new Android phone and I attempted to install the LinkedIn and Twitter apps. Both apps requested about 10 permissions. Which I denied and therefore not installed.
> 
> I may be the only one who is annoyed by that but what is the reason why there is no effort in creating “optional” permissions? In the earlier development phase of OpenID Connect I joined a working group call and showed an example of an authorization page that required SCOPE “openid” but others were de-selectable by the resource owner. The others on that call did not appreciate that idea.
> 
> At IIW in March/ April 2014 Justin also mentioned the problem (what to do if requested SCOPE=LIVE KILL) but I do not see anyone addressing that or trying to change it.
> 
> Thanks for any thoughts on that,
> Sascha
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150817/2acc16ee/attachment.html>