[Openid-specs-ab] The dpop scope compatibility
Jacob Ideskog
jacob.ideskog at curity.io
Thu Aug 28 12:13:34 UTC 2025
Hi all,
I was reading the OpenID Keybinding spec and found something I think will
be breaking compatibility.
In section 1.5 it states:
"If the OP does not support the dpop scope, it MUST return an error
response with the error code invalid_scope per [RFC6749] 5.2."
This contradicts the spirit of OAuth and OpenID Connect where unknown
parameters in general should be ignored if not understood.
But for scope specifically the OpenID Connect spec 3.1.2.1 states:
"Scope values used that are not understood by an implementation SHOULD be
ignored"
So an existing OP that knows nothing about the dpop scope could by default
simply drop it. It sounds like this is trying to enforce behaviour on non
compliant OPs that they by default wouldn't have.
Perhaps I missed something.
Regards
Jacob
--
Jacob Ideskog
CTO
Curity
-------------------------------------------------------------------
Sankt Göransgatan 66, Stockholm, Sweden
M: +46 70-2233664
j <jacob at twobo.com>acob at curity.io
curity.io
-------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250828/6d7ba0e6/attachment.htm>
More information about the Openid-specs-ab
mailing list