[Openid-specs-ab] The dpop scope compatibility

Thomas Broyer t.broyer at ltgt.net
Thu Aug 28 12:30:36 UTC 2025 

It doesn't "contradict the spirit of OAuth", as it is spec'd that way:
https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1

IMO it was an error for OpenID Connect to be spec'd with this wording
though (maybe there's a good reason for ignoring unknown scopes, it should
then have been documented in the spec).

Thomas Broyer
/tɔ.ma.bʁwa.je/
<https://ipa-reader.com/?text=t%C9%94.ma.b%CA%81wa.je&voice=Mathieu>

Le jeu. 28 août 2025, 14:13, Jacob Ideskog via Openid-specs-ab <
openid-specs-ab at lists.openid.net> a écrit :

> Hi all,
>
> I was reading the OpenID Keybinding spec and found something I think will
> be breaking compatibility.
>
> In section 1.5 it states:
>
> "If the OP does not support the dpop scope, it MUST return an error
> response with the error code invalid_scope per [RFC6749] 5.2."
>
> This contradicts the spirit of OAuth and OpenID Connect where unknown
> parameters in general should be ignored if not understood.
>
> But for scope specifically the OpenID Connect spec 3.1.2.1 states:
>
> "Scope values used that are not understood by an implementation SHOULD be
> ignored"
>
> So an existing OP that knows nothing about the dpop scope could by default
> simply drop it. It sounds like this is trying to enforce behaviour on non
> compliant OPs that they by default wouldn't have.
>
> Perhaps I missed something.
>
> Regards
> Jacob
>
> --
> Jacob Ideskog
> CTO
> Curity
> -------------------------------------------------------------------
> Sankt Göransgatan 66, Stockholm, Sweden
> <https://www.google.com/maps/search/Sankt+G%C3%B6ransgatan+66,+Stockholm,+Sweden?entry=gmail&source=g>
> M: +46 70-2233664
> j <jacob at twobo.com>acob at curity.io
> curity.io
> -------------------------------------------------------------------
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250828/7aa56244/attachment.htm>

More information about the Openid-specs-ab mailing list