<div dir="ltr"><div>> What is the point of this requirement?</div><div><br></div><div>Imagine being completely unable to delete a scope because that would break every OAuth client, knowing that many cannot be easily updated for a long time (their update cycle is outside of your control).</div><div><br></div><div>When you could just let the server "ignore" unknown scopes, and the client would continue working happily with only the valid scopes it requested.</div><div><br></div><div>Regards,</div><div><br></div><div>Renato Athaydes</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Thu, Aug 28, 2025 at 2:57 PM Filip Skokan via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>There is in fact no mandate to throw on unsupported or unrecognized scopes values, the code is defined but not mandated to be used by implementers. In fact OIDC Core 1.0 explicitly says the following in <a href="https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest" target="_blank">3.1.2.1. Authentication Request</a> (as Jacob already pointed out).</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Scope values used that are not understood by an implementation SHOULD be ignored.</blockquote><div><br></div><div>What is the point of this requirement? Can you instead mandate that when this specification is supported servers MUST include the dpop scope in their RFC8414 / OIDC Discovery 1.0 documents `scopes_supported` parameter and have client's check that before using it?</div><div><br></div><div><div dir="ltr" class="gmail_signature">S pozdravem,<br><b>Filip Skokan</b></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 28 Aug 2025 at 14:30, Thomas Broyer via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div><div>It doesn't "contradict the spirit of OAuth", as it is spec'd that way: <a href="https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1" target="_blank">https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1</a></div><div dir="auto"><br></div><div dir="auto">IMO it was an error for OpenID Connect to be spec'd with this wording though (maybe there's a good reason for ignoring unknown scopes, it should then have been documented in the spec).</div><div><br></div><div><div dir="ltr">Thomas Broyer<br><a href="https://ipa-reader.com/?text=t%C9%94.ma.b%CA%81wa.je&voice=Mathieu" target="_blank">/tɔ.ma.bʁwa.je/</a></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le jeu. 28 août 2025, 14:13, Jacob Ideskog via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi all,</div><div><br></div><div>I was reading the OpenID Keybinding spec and found something I think will be breaking compatibility.</div><div><br></div><div>In section 1.5 it states:</div><div><br></div><div>"If the OP does not support the <code>dpop</code> scope, it MUST return an error response with the error code <code>invalid_scope</code> per [RFC6749] 5.2."</div><div><br></div><div>This contradicts the spirit of OAuth and OpenID Connect where unknown parameters in general should be ignored if not understood.</div><div><br></div><div>But for scope specifically the OpenID Connect spec 3.1.2.1 states:</div><div><br></div><div>"Scope values used that are not understood by an implementation SHOULD be ignored"</div><div><br></div><div>So an existing OP that knows nothing about the dpop scope could by default simply drop it. It sounds like this is trying to enforce behaviour on non compliant OPs that they by default wouldn't have.</div><div><br></div><div>Perhaps I missed something.</div><div><br></div><div>Regards</div><div>Jacob</div><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><span style="font-size:small"></span>Jacob Ideskog<br><div style="font-size:small"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><div>CTO<br></div><div>Curity<br></div><span style="color:rgb(136,136,136)">------------------------------</span><span style="color:rgb(136,136,136)">------------------------------</span><span style="color:rgb(136,136,136)">-------</span><div><a href="https://www.google.com/maps/search/Sankt+G%C3%B6ransgatan+66,+Stockholm,+Sweden?entry=gmail&source=g" target="_blank">Sankt Göransgatan 66, Stockholm, Sweden</a><br>M: <a value="+46727255655" style="color:rgb(17,85,204)" rel="noreferrer">+46 70-2233664</a><br><font style="color:rgb(17,85,204)" color="#009900"><a href="mailto:jacob@twobo.com" style="color:rgb(17,85,204)" rel="noreferrer" target="_blank">j</a><a href="mailto:acob@curity.io" rel="noreferrer" target="_blank">acob@curity.io</a></font></div></div><div><font style="color:rgb(17,85,204)" color="#009900"><a href="http://curity.io" rel="noreferrer" target="_blank">curity.io</a></font></div><div><span style="color:rgb(136,136,136)">------------------------------</span><span style="color:rgb(136,136,136)">------------------------------</span><span style="color:rgb(136,136,136)">-------</span></div></div></div></div></div></div></div></div></div></div></div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" rel="noreferrer" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div></div></div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>