-
assigned issue to
Michael Jones
Behavior if scope parameter is omitted from authorization request
Issue #738
resolved
The OAuth 2.0 Specification, in section 3.3, says the following [1]:
If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope. The authorization server SHOULD document its scope requirements and default value (if defined).
Regarding scopes, Messages 2.4 says that the "openid" scope is REQUIRED: "If the openid scope value is not present, the request MUST NOT be treated as an OpenID Connect request"[2].
If the scope parameter is omitted entirely, what is an OIDC server allowed/required to do? The requirement in Messages seems to indicate that a server may not default a non-scoped request to include the "openid" scope.
Comments (2)
-
-
- changed status to resolved
Fixed
#738- Behavior when "openid" scope is omitted→ <<cset 801fe4d5e12c>>
- Log in to comment
We will say that the behavior is unspecifed when the "openid" scope is not present.