[Openid-specs-fapi] Issue #494: FAPI1Adv: Apparent inconsistency in RP tests compared to OP tests (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Tue Apr 19 16:04:59 UTC 2022
New issue 494: FAPI1Adv: Apparent inconsistency in RP tests compared to OP tests
https://bitbucket.org/openid/fapi/issues/494/fapi1adv-apparent-inconsistency-in-rp
Joseph Heenan:
There’s an apparent inconsistency in the RP tests and the OP tests for FAPI1 Advanced.
In the FAPI1Adv RP tests, we have a test for clause 5.2.3-10 in FAPI1-base:
> shall verify that the scope received in the token response is either an exact match or contains a subset of the scope sent in the authorization reques
The test includes an extra random scope in the token endpoint response, and expects the client to fail.
In the FAPI1Adv OP tests, we don’t appear to do any checks on the scope returned by the token endpoint, i.e. we don’t seem to be failing OPs if they decide to return extra unrequested scopes.
The two obvious ways to resolve this inconsistency seem to be to either:
1. Remove the RP test, or,
2. Update the OP test to check scope if it is returned from the token endpoint
Guidance from the FAPI WG on the way forward would be appreciated please. I believe this issue was raised in this conformance suite issue: [https://gitlab.com/openid/conformance-suite/-/issues/966](https://gitlab.com/openid/conformance-suite/-/issues/966)
More information about the Openid-specs-fapi
mailing list