[Openid-specs-fapi] Issue #742: 5.2.3. Public client interpretation (openid/fapi)
Nat
issues-reply at bitbucket.org
Wed May 21 13:17:44 UTC 2025
New issue 742: 5.2.3. Public client interpretation
https://bitbucket.org/openid/fapi/issues/742/523-public-client-interpretation
Nat Sakimura:
I was asked that 10 and 11 only applies if `openid` is not in the scope. Or does the “If `openid` is not in the `scope` value, then the public client” applies only on 9?
The current text goes:
If `openid` is not in the `scope` value, then the public client
9. shall include the `state` parameter defined in Section 4.1.1 of [RFC6749](https://tools.ietf.org/html/rfc6749);
10. shall verify that the `scope` received in the token response is either an exact match, or contains a subset of the `scope` sent in the authorization request; and
11. shall only use Authorization Server metadata obtained from the metadata document published by the Authorization Server at its well known endpoint as defined in [OIDD](http://openid.net/specs/openid-connect-discovery-1_0.html) or [RFC8414](https://tools.ietf.org/html/rfc8414).
**NOTE**: Adherence to [RFC7636](https://tools.ietf.org/html/rfc7636) means that the token request includes `code_verifier` parameter in the request.
More information about the Openid-specs-fapi
mailing list