-
assigned issue to
Edmund Jay
- changed status to open
Basic - 3.1 scopes not attached to tokens
Issue #61
resolved
Section 3.1 claims that it uses scopes as defined by OAuth 2, which defines them as associated with access/refresh tokens.
Section 3.1 in turn seems to associate scopes with protected resource endpoints and doesn't say anything about the specific token(s) each scope is supposed to be associated with.
This is particularly ambiguous since there are two tokens issued, and the ID token / check session endpoint do not seem to be an OAuth 2 token/protected resource pair.
Comments (3)
-
-
Currentl 3.1 is written as
3.1. OpenID Connect Scopes This profile describes two OpenID Connect endpoints that the client may request scopes for. The scopes request what information is to be made available from each of the endpoints for the current user. The User may decline a scope request by the client. To increase conversion, a site may elect to only request a subset of the information from the User Info endpoint. OpenID Connect uses scopes as defined in 4.2.1 of OAuth 2.0 [OAuth.2.0]. The Check Session Endpoint has a single scope openid REQUIRED. Requests the user_id and other session information. The User Info Endpoint scopes are: profile OPTIONAL requests default profile information. email OPTIONAL requests an email address. address OPTIONAL requests an address. These scopes are additive if a RP wanted the default profile including email and address they would request: The following is a non-normative example of a Scope Request. scope=openid profile email phone
It does not make sense. Needs to be rewritten.
-
- changed status to resolved
fixes
#61Basic - 3.1 scopes not attached to tokens - Log in to comment
