[Openid-specs-mobile-profile] Issue #113: CIBA: the behavior when the "openid" scope value is not present (openid/mobile)

Takahiko Kawasaki issues-reply at bitbucket.org
Wed Nov 7 07:15:23 UTC 2018


New issue 113: CIBA: the behavior when the "openid" scope value is not present
https://bitbucket.org/openid/mobile/issues/113/ciba-the-behavior-when-the-openid-scope

Takahiko Kawasaki:

The page 10 of the 6th draft (draft-mobile-client-initiated-backchannel-authentication-06) says:

> CIBA authentication requests MUST therefore contain the "openid" value and the behavior is entirely unspecified, if the "openid" scope value is not present.

Some people think that the term "unspecified" includes not only erroneous behaviors but also successful behaviors. However, if "unspecified" allows successful cases, it will become meaningless for the specification to use "MUST".

cf. https://www.ietf.org/mail-archive/web/oauth/current/msg17364.html

Therefore, "the behavior is entirely unspecified" should be replaced with a sentence like "an error will occur".




More information about the Openid-specs-mobile-profile mailing list