1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

[has-PR] Should AS entirely ignore the scopes in OpenID4VCI and 4VP that it does not understand

Issue #1572 resolved
Kristina Yasuda created an issue

Currently, OpenID4VCI and 4VP instructs Providers who do not understand the value of this scope in a request MUST ignore it entirely.

Tobias has pointed out that this behaviour is not inline with RFC 6749 which says

`The authorization server MAY fully or partially ignore the scope
requested by the client, based on the authorization server policy or
the resource owner's instructions. If the issued access token scope
is different from the one requested by the client, the authorization
server MUST include the "scope" response parameter to inform the
client of the actual scope granted.`

and suggested we remove the current requirement to ignore.

From a PR comment cc @Tobias Looker

Comments (9)

  1. Brian Campbell

    Note also that RFC 6749 has an invalid_scope error code for the authorization endpoint response. In practice many/most ASs will respond with that error when seeing scope values that aren’t understood.

  2. Kristina Yasuda reporter

    Would changing a text to something like Providers who do not understand the value of this scope in a request MUST return an `invalid_scope` error code. make sense?

  3. Thomas Bellebaum

    @Kristina What exactly is “this scope”? “A given scope”?

    Also: How does an AS know whether a request is a simple OAuth request (as in RFC 6749, for which it may ignore unknown scopes) or a credential issuance request, if all that differentiate the two are the (in this case) unknown scopes.

    Below the example from the current master branch:

    HTTP/1.1 302 Found
Location: https://server.example.com/authorize?
  response_type=code
  &scope=com.example.healthCardCredential
  &client_id=s6BhdRkqt3
  &code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
  &code_challenge_method=S256
  &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

  4. Kristina Yasuda reporter

    a scope that is a credential type that the wallet is requesting to be issued.

    How does an AS know whether a request is a simple OAuth request (as in RFC 6749, for which it may ignore unknown scopes) or a credential issuance request, if all that differentiate the two are the (in this case) unknown scopes.

    I do not think AS needs to know. it is a usual OAuth flow. hence the error behavior should be the same regardless if it is RFC6749 or OpenID4VCI.

  6. Kristina Yasuda reporter

    But I do wonder if this text also applies to the credential issuance “If the issued access token scope is different from the one requested by the client”. This would mean issuer issued not a credential client was requesting, which sounds wrong at the first thought, and I am not sure if there are use-cases like this.

    Updated: Torsten helped me by clarifying that this text is related to cases where the AS transformed or reduced the scope associated with the access token not to cases where the AS does not know the scope at all.

  10. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Credential Issuance
Milestone
Version
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!