Question: Is including openid in the scope required?

Issue #138 resolved
Kengo Suzuki created an issue

Correct me if i'm wrong where and how raising this issue related to the question. ( I have signed and sent Contribution Agreement)

I am reading "Financial API - Part 1" and not being so sure about the scope specification in Authorization Server.

First, sec5.2.3 requires a Public Client to include openid in the scope value. Then, sec5.2.4 requires a Confidential Client to do In addition to the provisions for a Public Client, except for [RFC7636] support,...

So I think this makes a authorization request must include openid in the scope no matter what client type is being used.

However, sec5.2.2 state Authorization Server is only required to issue an ID token when openid was included in the requested scope. So as a reader, I was a bit confused because I interpreted it as if there is a case when scope does not require openid.

So what I want to send pull request is to remove the line when openid was included in the requested scope as in Section 3.1.3.3 of [OIDC] from 5.2.2-24, but before that I want to makes sure if that's a right idea. It will provide a solid understanding to readers.

Or could it be correct to add including openid for scope after In addition to the provisions for a Public Client, except for [RFC7636] support, a Confidential Client in sec5.2.4?

Thanks!

Comments (3)

  1. Joseph Heenan

    5.2.3 does NOT require the public client to include openid in the scope value; there is an 'if' before it:

    Further, if it is desired to obtain a persistent identifier of the authenticated user, then it

    shall include openid in the scope value; and

  2. Log in to comment