Messages and Standard - Inconsistent treatment of OAuth parameters in OpenID request message

Issue #575 resolved
Michael Jones created an issue

As reported by Vladimir Dzhuvinov, says

"All [...] parameters MUST also be JSON Serialized into the OpenID Request Object with the same values."

whereas says

"If the same parameters are present both in the Authorization Request and in the OpenID Request Object, the latter takes precedence."

This is both inconsistent and confusing.

Comments (2)

  1. Michael Jones reporter

    We agreed to change Messages and Standard to state that it is optional to also include OAuth parameters in the OpenID request object, but that if they are in both places, they MUST match.

    Optional OAuth parameters MAY be present only in the OpenID Request object. The one exception to this is that that the scope parameter is the one OAuth parameter that MUST be present in the OAuth request (so the "openid" scope is always present in the OAuth request).

  2. Log in to comment