Question: Is including openid in the scope required?
Issue #138
resolved
Correct me if i'm wrong where and how raising this issue related to the question. ( I have signed and sent Contribution Agreement)
I am reading "Financial API - Part 1" and not being so sure about the scope specification in Authorization Server.
First, sec5.2.3 requires a Public Client to include openid in the scope value.
Then, sec5.2.4 requires a Confidential Client to do In addition to the provisions for a Public Client, except for [RFC7636] support,...
So I think this makes a authorization request must include openid in the scope no matter what client type is being used.
However, sec5.2.2 state Authorization Server is only required to issue an ID token when openid was included in the requested scope. So as a reader, I was a bit confused because I interpreted it as if there is a case when scope does not require openid.
So what I want to send pull request is to remove the line when openid was included in the requested scope as in Section 3.1.3.3 of [OIDC] from 5.2.2-24, but before that I want to makes sure if that's a right idea. It will provide a solid understanding to readers.
Or could it be correct to add including openid for scope after In addition to the provisions for a Public Client, except for [RFC7636] support, a Confidential Client in sec5.2.4?
Thanks!
Comments (8)
-
-
reporter
Ic, thanks for the reply.
-
reporter
- changed status to resolved
-
- changed component to Part 1: Baseline
-
- changed component to FAPI 1 - Part 1: Baseline
-
- changed component to FAPI 1 – Part 1: Baseline
-
- changed component to FAPI 1 – Baseline
-
- changed component to FAPI 1: Baseline
- Log in to comment
5.2.3 does NOT require the public client to include openid in the scope value; there is an 'if' before it: