CIBA: the behavior when the "openid" scope value is not present

Issue #113 resolved

Takahiko Kawasaki created an issue 2018-11-07

The page 10 of the 6th draft (draft-mobile-client-initiated-backchannel-authentication-06) says:

CIBA authentication requests MUST therefore contain the "openid" value and the behavior is entirely unspecified, if the "openid" scope value is not present.

Some people think that the term "unspecified" includes not only erroneous behaviors but also successful behaviors. However, if "unspecified" allows successful cases, it will become meaningless for the specification to use "MUST".

cf. https://www.ietf.org/mail-archive/web/oauth/current/msg17364.html

Therefore, "the behavior is entirely unspecified" should be replaced with a sentence like "an error will occur".

Comments (5)

Brian Campbell
unspecified means that it's not specified either way

the MUST is intended to say that it's not a CIBA request unless the openid scope value is present
- 2018-11-07T09:26:16+00:00
Brian Campbell
- assigned issue to
  
  Brian Campbell
- 2018-11-13T15:30:50+00:00
Brian Campbell
Discussed during the Nov 13 MODRNA WG call and there was general consensus to be somewhat more specific about why the behavior is unspecified. Which is to not unduly preclude some other specification or profile from defining what it would mean to have a backchannel authentication request without the openid scope. This might be, for example, a plain vanilla OAuth version of the flow that is basically the same but without an ID Token.
- 2018-11-13T23:38:56+00:00
Brian Campbell
pull request ~~#48~~ has text that attempts to be somewhat more specific about why the behavior is unspecified when scope doesn't have openid
- 2018-11-15T22:08:44+00:00
Dave Tonge
- changed status to resolved
Pull request merged
- 2018-11-20T13:01:30+00:00
Log in to comment

Assignee: Brian Campbell

Type: proposal

Priority: minor

Status: resolved

Component: CIBA

Milestone: CIBA Implementer's Draft

Votes: 0

Watchers: 0