[Openid-specs-ab] Issue #2178: [Native SSO] the openid scope on token exchange (openid/connect)

Fri Apr 25 14:12:32 UTC 2025

New issue 2178: [Native SSO] the openid scope on token exchange
https://bitbucket.org/openid/connect/issues/2178/native-sso-the-openid-scope-on-token

Takahiko Kawasaki:

In [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html) draft 07, [Section 4.1. OAuth2 Token Exchange Profile](https://openid.net/specs/openid-connect-native-sso-1_0.html#section-4.1), the `scope` request parameter is defined as follows:

> scope
>
> OPTIONAL. The scopes required by the requesting native application. When present, it MUST include the `openid` scope value as one of the provided values.

However, since [RFC 6749 The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html), [Section 3.3 Access Token Scope](https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3) states the following, some authorization server implementations may apply a default scope set when the `scope` parameter is omitted.

> If the client omits the `scope` parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope.

Let’s suppose the default scope set is resolved to `["scope1", "scope2"]`, and `openid` is not included. Under the current Native SSO specification, this does not result in an error—because the `openid` scope is only required when the `scope` parameter is explicitly specified. Whether the `openid` scope is required or not depends on whether the `scope` parameter is explicitly provided or defaults are applied. **This behavior is inconsistent.**

I believe the description of the `scope` parameter should be modified so that either the `openid` scope is required in both cases — whether the `scope` parameter is explicitly specified or the default scope set is applied — or the `openid` scope is not required at all.

Frankly speaking, I don't quite understand why the access token issued through token exchange must have the `openid` scope. While I can imagine that it might be because the access token and refresh token are tied to the user's authentication session, I don't see the technical necessity for it.