-
assigned issue to
Authorisation request with UserInfo claims but no token in response_type
How should the AS respond if the authorisation request includes some UserInfo claims (through "scope" or request object), however the "response_type" doesn't include a "token"?
Should the AS ignore the UserInfo claims request and just proceed?
Or should it return an error?
Comments (8)
-
-
FWIW, I disagree that scopes only apply to data from the User Info Endpoint, which was what was stated as prior consensus in a discussion on the Jan 3 call. Why don't the scopes correspond the release of the corresponding user data regardless of how it's obtained? I realize it's probably moot at this point but wanted to say it for the record. What I'd previously been apposed to was using scopes as a switch to impact other protocol stuff - like the scope or scopes that said to include claims in the id token. To me anyway, having scopes linked to what data is being shared is a more comprehensible model.
-
- changed status to resolved
Fixed
#671- Sec 2.1.1 added test to require client to request a access token for the UserInfo Endpoint if requesting the default scopes.→ <<cset 012b37990112>>
-
- changed status to open
Brian believes that the text addressing this issue was removed in subsequent edits. I've reopened this issue so that we can review the current text to make sure that it is adequately addressed.
-
I only noticed when looking at https://bitbucket.org/openid/connect/commits/012b37990112 and trying to find the text in the -15 of published document. The text that's now in it's place, I think, still conveys the intent. But it definitely changed since John's resolution to this ticket.
-
The "requesting scopes" language was replaced with the more accurate current "requesting claims" language, but some of the intent may have been lost in the process.
-
- changed status to resolved
Fixed
#671- Specified that an Access Token must be requested when Claims are requested from the UserInfo endpoint.→ <<cset 189a40acc54a>>
-
FYI, this decision was reversed by the decision on https://bitbucket.org/openid/connect/issue/785.
- Log in to comment
It's a malformed request to ask for claims from the UserInfo endpoint and not to request a code or token enabling access to those claims. An error should be returned.