Basic - 3.1 scopes not attached to tokens

Issue #61 resolved
created an issue

Section 3.1 claims that it uses scopes as defined by OAuth 2, which defines them as associated with access/refresh tokens.

Section 3.1 in turn seems to associate scopes with protected resource endpoints and doesn't say anything about the specific token(s) each scope is supposed to be associated with.

This is particularly ambiguous since there are two tokens issued, and the ID token / check session endpoint do not seem to be an OAuth 2 token/protected resource pair.

Comments (3)

  1. Nat Sakimura

    Currentl 3.1 is written as

    3.1.  OpenID Connect Scopes
    This profile describes two OpenID Connect endpoints that the client may request scopes for.
    The scopes request what information is to be made available from each of the endpoints for the current user. The User may decline a scope request by the client.
    To increase conversion, a site may elect to only request a subset of the information from the User Info endpoint.
    OpenID Connect uses scopes as defined in 4.2.1 of OAuth 2.0 [OAuth.2.0].
    The Check Session Endpoint has a single scope
    REQUIRED. Requests the user_id and other session information.
    The User Info Endpoint scopes are:
    OPTIONAL requests default profile information.
    OPTIONAL requests an email address.
    OPTIONAL requests an address.
    These scopes are additive if a RP wanted the default profile including email and address they would request:
    The following is a non-normative example of a Scope Request.
    scope=openid profile email phone

    It does not make sense. Needs to be rewritten.

  2. Log in to comment