Authorisation request with UserInfo claims but no token in response_type

Issue #671 resolved
Vladimir Dzhuvinov created an issue

How should the AS respond if the authorisation request includes some UserInfo claims (through "scope" or request object), however the "response_type" doesn't include a "token"?

Should the AS ignore the UserInfo claims request and just proceed?

Or should it return an error?

Comments (8)

  1. Michael Jones

    It's a malformed request to ask for claims from the UserInfo endpoint and not to request a code or token enabling access to those claims. An error should be returned.

  2. Brian Campbell

    FWIW, I disagree that scopes only apply to data from the User Info Endpoint, which was what was stated as prior consensus in a discussion on the Jan 3 call. Why don't the scopes correspond the release of the corresponding user data regardless of how it's obtained? I realize it's probably moot at this point but wanted to say it for the record. What I'd previously been apposed to was using scopes as a switch to impact other protocol stuff - like the scope or scopes that said to include claims in the id token. To me anyway, having scopes linked to what data is being shared is a more comprehensible model.

  3. Michael Jones
    • changed status to open

    Brian believes that the text addressing this issue was removed in subsequent edits. I've reopened this issue so that we can review the current text to make sure that it is adequately addressed.

  4. Michael Jones

    The "requesting scopes" language was replaced with the more accurate current "requesting claims" language, but some of the intent may have been lost in the process.

  5. Log in to comment