CIBA: the behavior when the "openid" scope value is not present

Issue #113 resolved
Takahiko Kawasaki created an issue

The page 10 of the 6th draft (draft-mobile-client-initiated-backchannel-authentication-06) says:

CIBA authentication requests MUST therefore contain the "openid" value and the behavior is entirely unspecified, if the "openid" scope value is not present.

Some people think that the term "unspecified" includes not only erroneous behaviors but also successful behaviors. However, if "unspecified" allows successful cases, it will become meaningless for the specification to use "MUST".


Therefore, "the behavior is entirely unspecified" should be replaced with a sentence like "an error will occur".

Comments (5)

  1. Brian Campbell

    unspecified means that it's not specified either way

    the MUST is intended to say that it's not a CIBA request unless the openid scope value is present

  2. Brian Campbell

    Discussed during the Nov 13 MODRNA WG call and there was general consensus to be somewhat more specific about why the behavior is unspecified. Which is to not unduly preclude some other specification or profile from defining what it would mean to have a backchannel authentication request without the openid scope. This might be, for example, a plain vanilla OAuth version of the flow that is basically the same but without an ID Token.

  3. Brian Campbell

    pull request #48 has text that attempts to be somewhat more specific about why the behavior is unspecified when scope doesn't have openid

  4. Log in to comment