[Openid-specs-mobile-profile] Issue #113: CIBA: the behavior when the "openid" scope value is not present (openid/mobile)
issues-reply at bitbucket.org
Wed Nov 7 07:15:23 UTC 2018
New issue 113: CIBA: the behavior when the "openid" scope value is not present
The page 10 of the 6th draft (draft-mobile-client-initiated-backchannel-authentication-06) says:
> CIBA authentication requests MUST therefore contain the "openid" value and the behavior is entirely unspecified, if the "openid" scope value is not present.
Some people think that the term "unspecified" includes not only erroneous behaviors but also successful behaviors. However, if "unspecified" allows successful cases, it will become meaningless for the specification to use "MUST".
Therefore, "the behavior is entirely unspecified" should be replaced with a sentence like "an error will occur".
More information about the Openid-specs-mobile-profile