[Openid-specs-ab] Issue #1837: [Federation] metadata policy - relying party, claim "scope" (openid/connect)
peppelinux
issues-reply at bitbucket.org
Mon Feb 27 17:13:44 UTC 2023
New issue 1837: [Federation] metadata policy - relying party, claim "scope"
https://bitbucket.org/openid/connect/issues/1837/federation-metadata-policy-relying-party
Giuseppe De Marco:
In the RP’s metadata the claim “scope” is defined in [https://www.rfc-editor.org/rfc/rfc7591](https://www.rfc-editor.org/rfc/rfc7591), Section 2 Client Metadata, as \`String containing a space-separated list of scope values \(as described in Section 3.3 of OAuth 2.0 \[RFC6749\]\)\`
the best way to define a policy on the RP’s allowed claims is not defining a string but, instead, as it is an array of strings, as defined below:
```
"scope": {
"superset_of": ["openid"],
"subset_of": ["openid", "offline_access"]
},
```
Unfortunately this strategy may create an exception in the implementation that cannot apply array operators to a string value \(scope\).
do we have to specify a special implementation indication for this single claim \(and for all those that expose a space-separated list of strings as a single string \), or do we have some alternative?
More information about the Openid-specs-ab
mailing list