[Openid-specs-mobile-profile] Issue #113: CIBA: the behavior when the "openid" scope value is not present (openid/mobile)
Takahiko Kawasaki
issues-reply at bitbucket.org
Wed Nov 7 07:15:23 UTC 2018
New issue 113: CIBA: the behavior when the "openid" scope value is not present
https://bitbucket.org/openid/mobile/issues/113/ciba-the-behavior-when-the-openid-scope
Takahiko Kawasaki:
The page 10 of the 6th draft (draft-mobile-client-initiated-backchannel-authentication-06) says:
> CIBA authentication requests MUST therefore contain the "openid" value and the behavior is entirely unspecified, if the "openid" scope value is not present.
Some people think that the term "unspecified" includes not only erroneous behaviors but also successful behaviors. However, if "unspecified" allows successful cases, it will become meaningless for the specification to use "MUST".
cf. https://www.ietf.org/mail-archive/web/oauth/current/msg17364.html
Therefore, "the behavior is entirely unspecified" should be replaced with a sentence like "an error will occur".
More information about the Openid-specs-mobile-profile
mailing list