<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
But, Messages does specify what to do if the "openid" scope value is
not present: "If the openid scope value is not present, the request
MUST NOT be treated as an OpenID Connect request" [
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<a
href="http://openid.net/specs/openid-connect-messages-1_0.html#scopes">http://openid.net/specs/openid-connect-messages-1_0.html#scopes</a>].
That section does not say anything about defaults if no scope is
sent, but it sounds to me like a request sent with *no* scope at all
would fall under that umbrella, and MUST NOT be treated as an OpenID
Connect request. <br>
<br>
--Amanda<br>
<br>
<div class="moz-cite-prefix">On 01/30/2013 05:07 PM, Mike Jones
wrote:<br>
</div>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B1680429673943673EB860@TK5EX14MBXC284.redmond.corp.microsoft.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Technically,
the Connect specs are silent on what should happen if the
“openid” scope value isn’t present. The server could do
anything that it and its clients decide to do (including
behaving as if the “openid” scope value were present).
Omitting it isn’t a good practice, however.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
-- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a>
[<a class="moz-txt-link-freetext" href="mailto:openid-specs-ab-bounces@lists.openid.net">mailto:openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Amanda Anganes<br>
<b>Sent:</b> Wednesday, January 30, 2013 2:01 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> [Openid-specs-ab] Behavior if the scope
parameter is omitted<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The OAuth 2.0 Specification, in section
3.3, says the following [1]:<br>
<br>
If the client omits the scope parameter when requesting<br>
authorization, the authorization server MUST either process
the<br>
request using a pre-defined default value or fail the
request<br>
indicating an invalid scope. The authorization server
SHOULD<br>
document its scope requirements and default value (if
defined).<br>
<br>
Messages section 2.4 [2] does not give any additional guidance
about what to do if the client does not specify a scope value
when making a request; however, it does indicate that the
"openid" scope value MUST be included for the request to be
treated as an OpenID Connect request (rather than an OAuth 2.0
request). <br>
<br>
What is the server required/allowed to do if the client omits
to send the scope parameter? Does that MUST disallow an OIDC
server from defaulting a non-scoped request to include the
"openid" scope?
<br>
<br>
[1] <a moz-do-not-send="true"
href="http://tools.ietf.org/html/rfc6749#section-3.3">http://tools.ietf.org/html/rfc6749#section-3.3</a><br>
[2] <a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-messages-1_0.html#scopes">http://openid.net/specs/openid-connect-messages-1_0.html#scopes</a><br>
<br>
--Amanda<o:p></o:p></p>
</div>
</blockquote>
<br>
</body>
</html>