<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">The permissions you are asking about in Android are not really Connect scopes or claims. They are permissions for the Google play store or OS to release information to the app, or for the app to perform actions.<div class=""><br class=""></div><div class="">The good news is that in Android M it is no longer a all or nothing proposition, you can deselect permissions the app wants. However deselecting things will restrict app functionality as one would expect.</div><div class=""><br class=""></div><div class="">In OAuth there is no way to mark a scope as optional or required. </div><div class=""><br class=""></div><div class="">In Connect Sec 5.5.1 you can mark claims as essential to indicate to the AS that not returning those claims will cause the app not to function properly. </div><div class=""><br class=""></div><div class=""><span style="font-family: verdana, charcoal, helvetica, arial, sans-serif; font-size: small; widows: 1; background-color: rgb(255, 255, 255);" class="">"By requesting Claims as Essential Claims, the RP indicates to the End-User that releasing these Claims will ensure a smooth authorization for the specific task requested by the End-User. Note that even if the Claims are not available because the End-User did not authorize their release or they are not present, the Authorization Server MUST NOT generate an error when Claims are not returned, whether they are Essential or Voluntary, unless otherwise specified in the description of the specific claim.</span><font face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class="">”</font></div><div class=""><div style="widows: 1;" class=""><font face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class=""><span style="background-color: rgb(255, 255, 255);" class=""><br class=""></span></font></div><div style="widows: 1;" class=""><font face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class=""><span style="background-color: rgb(255, 255, 255);" class="">Getting IdP to agree on UI is a hard thing. The Specification allows any scope or claim to be declined by the user. Making IdP put it in the UI is something much harder. </span></font></div><div style="widows: 1;" class=""><font face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class=""><span style="background-color: rgb(255, 255, 255);" class=""><br class=""></span></font></div><div style="widows: 1;" class=""><font face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class=""><span style="background-color: rgb(255, 255, 255);" class="">John B.</span></font></div><div style="widows: 1;" class=""><font face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class=""><span style="background-color: rgb(255, 255, 255);" class=""><br class=""></span></font></div><div><blockquote type="cite" class=""><div class="">On Aug 17, 2015, at 1:34 PM, Preibisch, Sascha H <<a href="mailto:Sascha.Preibisch@ca.com" class="">Sascha.Preibisch@ca.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div class="">Hi!</div>
<span id="OLK_SRC_BODY_SECTION" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;" class="">
<div class=""><br class="">
</div>
<div class="">It may be an old topic but on the weekend I got a new Android phone and I attempted to install the LinkedIn and Twitter apps. Both apps requested about 10 permissions. Which I denied and therefore not installed.</div>
<div class=""><br class="">
</div>
<div class="">I may be the only one who is annoyed by that but what is the reason why there is no effort in creating “optional” permissions? In the earlier development phase of OpenID Connect I joined a working group call and showed an example of an authorization page
that required SCOPE “openid” but others were de-selectable by the resource owner. The others on that call did not appreciate that idea.</div>
<div class=""><br class="">
</div>
<div class="">At IIW in March/ April 2014 Justin also mentioned the problem (what to do if requested SCOPE=LIVE KILL) but I do not see anyone addressing that or trying to change it.</div>
<div class=""><br class="">
</div>
<div class="">Thanks for any thoughts on that,</div>
<div class="">Sascha</div>
</div>
</span>
</div>
_______________________________________________<br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a><br class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab<br class=""></div></blockquote></div><br class=""></div></body></html>