-
assigned issue to
John Bradley
Basic - 3.1. Scope difference between OAuth and Connect
Issue #132
resolved
Minor issue. This might be the lack of my English ability.
Draft 13 says:
".. The scopes associated with access tokens determine what resources will be available when they are used to access OAuth 2 protected endpoints. For OpenID Connect, scopes request what information is to be made available from the UserInfo Endpoint, and to request a id_token. ..."
I can understand the scope of OAuth from the sentence. But not for Connect, especially for id_token from the sentences.
My understanding is that "OAuth Scope is for URLs, Connect Scope is for Claims". Hope it will be described clearer in some way.
Comments (3)
-
-
reporter
Thank you very much for your description.
-
- changed status to resolved
- Log in to comment
OAuth scopes are for resources.
One or more resources may live at a URL.
as and example https://graph.facebook.com/me returns a JSON object containing claims based on the granted scopes of the access token.
The User-Info endpoint is doing the same thing.
The openid scope requests an id_token resource. That is provided in the URI fragment from the authorization server or from the token endpoint.
It is not a OAuth token because people didn't want it being able to be sent to the Check Session endpoint in a authorization header.
The problem is that in OAuth we only have scopes as a way to request things. Asking for a additional token vs api access privileges is different, so makes the explanation awkward.
Treating both tokens as OAuth would have made explaining it easier, but the coding harder.
I will have to take another try at this.