Skip to content

Scope in relation to OIDC #163

New issue
New issue
Closed
Closed
Scope in relation to OIDC#163
Labels
interimItems to discuss in the next WG interim meeting
@arukiidou

Description

@arukiidou
arukiidou
opened on Aug 15, 2023

Summary of proposal

Add the following description to https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-09#access-token-scope

The authorization server SHOULD NOT define different content with the same scope name as an OIDC defined claim, even if it does not implement the OIDC specification.

Why?

  • Interoperability with OIDC specifications as much as possible
  • If client could implicitly expect the request content from the scope name, do not mislead

Example

✅Its OK.

scope description
openid REQUIRED. for all OpenID Connect OAuth2 requests.
profile OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
email OPTIONAL. This scope value requests access to the email and email_verified Claims.
address OPTIONAL. This scope value requests access to the address Claim.
phone OPTIONAL. This scope value requests access to the phone_number and phone_number_verified Claims.

✅not OIDC, but Its also OK( as OAuth2.1).

Not having a scope defined in the OIDC specification is permitted.

scope description
profile OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
address OPTIONAL. This scope value requests access to the address Claim.

✅not OIDC, but Its also OK( as OAuth2.1).

scope description
profile OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
read_registry OPTIONAL. This scope value requests access to the package registry.

❌ SHOULD NOT - Do not attempt to request access to an email claim by informing the client of the address scope

scope description
profile OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
address OPTIONAL. This scope value requests access to the email-address Claim.

References: OpenID Connect Core 1.0 Spec

https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims

Metadata

Metadata

Assignees

No one assigned

    Labels

    interimItems to discuss in the next WG interim meeting

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions