Correct me if i'm wrong where and how raising this issue related to the question. ( I have signed and sent Contribution Agreement)
I am reading "Financial API - Part 1" and not being so sure about the scope specification in Authorization Server.
First, sec5.2.3 requires a Public Client to
include openid in the scope value.
Then, sec5.2.4 requires a Confidential Client to do
In addition to the provisions for a Public Client, except for [RFC7636] support,...
So I think this makes a authorization request must include
openid in the scope no matter what client type is being used.
However, sec5.2.2 state Authorization Server is only required to issue an ID token
when openid was included in the requested scope. So as a reader, I was a bit confused because I interpreted it as if there is a case when scope does not require
So what I want to send pull request is to remove the line
when openid was included in the requested scope as in Section 220.127.116.11 of [OIDC] from 5.2.2-24, but before that I want to makes sure if that's a right idea. It will provide a solid understanding to readers.
Or could it be correct to add
including openid for scope after
In addition to the provisions for a Public Client, except for [RFC7636] support, a Confidential Client in sec5.2.4?