CIBA: the behavior when the "openid" scope value is not present
The page 10 of the 6th draft (draft-mobile-client-initiated-backchannel-authentication-06) says:
CIBA authentication requests MUST therefore contain the "openid" value and the behavior is entirely unspecified, if the "openid" scope value is not present.
Some people think that the term "unspecified" includes not only erroneous behaviors but also successful behaviors. However, if "unspecified" allows successful cases, it will become meaningless for the specification to use "MUST".
cf. https://www.ietf.org/mail-archive/web/oauth/current/msg17364.html
Therefore, "the behavior is entirely unspecified" should be replaced with a sentence like "an error will occur".
Comments (5)
-
-
-
assigned issue to
-
assigned issue to
-
Discussed during the Nov 13 MODRNA WG call and there was general consensus to be somewhat more specific about why the behavior is unspecified. Which is to not unduly preclude some other specification or profile from defining what it would mean to have a backchannel authentication request without the openid scope. This might be, for example, a plain vanilla OAuth version of the flow that is basically the same but without an ID Token.
-
pull request
#48has text that attempts to be somewhat more specific about why the behavior is unspecified when scope doesn't have openid -
- changed status to resolved
Pull request merged
- Log in to comment
unspecified means that it's not specified either way
the MUST is intended to say that it's not a CIBA request unless the openid scope value is present