[Openid-specs-ab] Issue #1572: Should AS entirely ignore the scopes in OpenID4VCI and 4VP that it does not understand (openid/connect)
Kristina Yasuda
issues-reply at bitbucket.org
Fri Jul 22 06:31:47 UTC 2022
New issue 1572: Should AS entirely ignore the scopes in OpenID4VCI and 4VP that it does not understand
https://bitbucket.org/openid/connect/issues/1572/should-as-entirely-ignore-the-scopes-in
Kristina Yasuda:
Currently, OpenID4VCI and 4VP instructs `Providers who do not understand the value of this scope in a request MUST ignore it entirely.`
Tobias has pointed out that this behaviour is not inline with RFC 6749 which says
\`The authorization server MAY fully or partially ignore the scope
requested by the client, based on the authorization server policy or
the resource owner's instructions. If the issued access token scope
is different from the one requested by the client, the authorization
server MUST include the "scope" response parameter to inform the
client of the actual scope granted.\`
and suggested we remove the current requirement to ignore.
>From [a PR comment](https://bitbucket.org/openid/connect/pull-requests/238#comment-316794808) cc @{557058:8f0db39c-8807-4c20-8466-25be0b9dadc2}
More information about the Openid-specs-ab
mailing list