scopes metadata parameter needs to be defined
The example in section 3.1 of the federation spec uses a metadata element “scopes” underneath “openid_relying_party” but this parameter is undefined yet.
OpenID Connect Dynamic Client Registration does not define any scope related element. RFC 7591 defines an element “scope” as a "String containing a space-separated list of scope values”.
I think there are two options: “scopes” is retained and defined or the spec is changed to use the “scope” definition from RFC 7591 (and RFC 6749).
Comments (18)
-
-
- changed status to open
2022-Mar-10 Connect call. We discussed the benefit of
scopes
array. It was pointed out thatscope
andscopes
might be confusing and better name forscopes
should be considered. -
Do we have to revert this?
https://bitbucket.org/openid/connect/commits/9f0033295d659a651ec0a030b703745f09914639#Lopenid-connect-federation-1_0.xmlT507I’m keeping on hold this aspect here, if I well understood that it will remain scopes, as it was
https://github.com/italia/spid-cie-oidc-django/issues/115 -
reporter I think we should revert the name change. „scope“ as array completes the confusion as it deviates from the OAuth definition. Or we use a completely different term as suggested in the last call.
-
@Roland Hedberg is this Issue linked to this PR https://bitbucket.org/openid/connect/pull-requests/141?
-
The specification’s use of
scope
now appears to be aligned with OAuth 2.0, andscopes
is gone. I propose that we close this issue on that basis. -
I didn’t understand if in the metadata policy claim, in the entity statement, the correct claim name is
scope
orscopes
I’m completely neutral with this, I just need the final decision to update my implementations -
reporter I cannot find a definition of how this policy
"scope": {
"subset_of": ["openid", "profile", "email", "phone"]}
can be applied to a client policy of this form
"scope": "read write"
Additionally, the spec refers to the OpenID Connect Client Registration spec only (which does not define “scope”). A reference to RFC 7591 needs to be added to enable RP policies to use “scope”.
-
the intersection of
read write
andopenid profile email phone
returns a void array
this means that thedefault
value would be applied if present in the metadata_policy, if a default value is absent the OP would reject the request because it’s not openid compliant -
reporter You seem to assume the string scope represents a set of scope values (so ordering e.g. does not matter)? That needs then to be stated in the spec since it is not defined someplace else.
-
I read in 5.1. Metadata Policy
Each policy entry applies to one metadata parameter, such as id_token_signing_alg.
I assume that all the claims defined in OIDC Dynamic client registration and Provider discovery can be modified by a policy, the ordering of the values doesn’t matter.
-
As discussed on the 21-Apr-22 working group call, https://datatracker.ietf.org/doc/html/rfc6749#section-3.3 says this about
scope
values:The strings are defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope.
It’s a separate but related question whether we need to repeat this in the Federation spec.
-
In “OpenID Connect Discovery 1.0“ in “OpenID Provider Metadata“ we have the claim scopes_supported.
In “OpenID Connect Dynamic Client Registration“ we don’t have any claims called scope or scopes.
As you mention RFC6749 has this claim in the OAuth2 Client metadata and as I can see the current OIDC Fed specs also mentioned this here and in the non normative example of the Entity Statements and 5.1.5. Policy Combination Example.
If there were no further comments I would consider this issue resolved and ready to close :-)
-
-
assigned issue to
As discussed on the 21-Apr-22 working group call, https://datatracker.ietf.org/doc/html/rfc6749#section-3.3 says this about
scope
values:The strings are defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope.
I will add a reminder that this is the case to the specification. Then we should be able to close this issue.
-
assigned issue to
-
reporter @guiseppe: I’m not aware of a definition of client metadata in RFC 6749. So there is still no definition of “scope” as client metadata parameter at all. I suggest to add it to the federation spec.
-
thank you @torsten, scope it’s for AS and not for client, my bad, so the meaning of my comment is related to the OP metadata.
I don’t see any need to define scope for the RP metadata in oidc federation 1.0. If I miss something or you like the scope in the RP metadata, please share your good points here -
-
- changed status to resolved
- Log in to comment
In the example of the entity statements, in the metadata policy values.
@roland Is there any consideration or impediment to converge on the use of the claim scope and abandon Scopes?