[OAUTH-WG] [JAR] scope parameter outside request object of OIDC request
Takahiko Kawasaki <taka@authlete.com> Mon, 21 September 2020 17:12 UTC
Return-Path: <taka@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA0413A08B9 for <oauth@ietfa.amsl.com>; Mon, 21 Sep 2020 10:12:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yG7tEusIYiyV for <oauth@ietfa.amsl.com>; Mon, 21 Sep 2020 10:12:21 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CB853A08B8 for <oauth@ietf.org>; Mon, 21 Sep 2020 10:12:21 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id o5so13584975wrn.13 for <oauth@ietf.org>; Mon, 21 Sep 2020 10:12:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=CdLI0/Xh8G7PlyyEP/vYAeJRtZo5gWwwFuiuozVzoL8=; b=QyXOCntgr/Fqok0lPuod8eRPD+9w7S8qyCoAFt3LGBC+QigWj7936rau6d5Kbf1kI2 D/YHPaONgAgrJ8pJhuPediqSOkPUIsZJmDikrH5lWBZYAcic3+yFxqZH6kekltnk8SkO oAlhe0lSBzKvALbCodL0wEilELDfKVQsqjYv/rMKMgqmEUz94lW2wdr3/4933tAsiZ5L 5OUUYzGbkDXRWks+K8MHKjt041ZUJKMnoKxV42ExNFEw9zrZwzIGV9QqO8rGrkYDh46+ i7SIUNK0+q4I70X3BmZUyRpIr7QEJAIKzmn+3X0XdpqoXyQAyRWep1rN3De80IvBu3HR aoKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=CdLI0/Xh8G7PlyyEP/vYAeJRtZo5gWwwFuiuozVzoL8=; b=dSkfNBXCteKL6u3iuDRwH0vXFvBbVDkas6jykOF/13MgrkSXLGlKErQKBfoDCbEbI6 HIC4u2BbwslUD7WZAaNSdrFglau4TLnFQhMldpQkOQx0zfw9t/GLrgSHXq9F2rBYd7cz XsHxWhbmrJ/8YG/B5mUvs7X+EWshFJulG9ss8YAHvA7iFHyHUDO8uGxjwHPKBBS7rZWe PzIDmtyZ8rQFyi+uCjkp8dlSPxqmtQWFB/bboSk/pzd9+s6PL0QFr9P1BMvPmZXNChc1 GSEPPs5OAGRmg9l8HUqYnM5gwpqGmmfZL+O52df9hDPWsMkvPdgPOmh/vNwnA31VxWSn +dUg==
X-Gm-Message-State: AOAM530BwUpaj+bh83K9ITZ1Lhsmurr/YXenA3dVRnz5JM8NpXDOcmPY pbh3VRWX/QFflj6eWA2CZsGpqr68d2xCSLRA48rHpvoc6ObgYnGG
X-Google-Smtp-Source: ABdhPJxjTLvngPM8CaJEk8wbBWzN81LBaO+LqjY7ivFrAcm1PFXfnEdwv3QqNAITCdvs3yj4aL91Ohw/R0f1v11w+js=
X-Received: by 2002:adf:f50a:: with SMTP id q10mr733040wro.319.1600708338987; Mon, 21 Sep 2020 10:12:18 -0700 (PDT)
MIME-Version: 1.0
From: Takahiko Kawasaki <taka@authlete.com>
Date: Tue, 22 Sep 2020 02:12:08 +0900
Message-ID: <CAHdPCmOPwqbemgKsEALA0OvP+6z58N5eNA9WA_AsvDESNhE1kg@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ef47c005afd5f36b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1q9C7wbmc92_prDgpsAUFcJlWLM>
Subject: [OAUTH-WG] [JAR] scope parameter outside request object of OIDC request
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2020 17:12:23 -0000
If we allow JAR (JWT Secured Authorization Request) to relax the requirement of `response_type` request parameter (outside a request object) from mandatory to optional, should we relax the following requirement of `scope` request parameter stated in OIDC Core 1.0 Section 6.1, too? ---------- Even if a scope parameter is present in the Request Object value, a scope parameter MUST always be passed using the OAuth 2.0 request syntax containing the openid scope value to indicate to the underlying OAuth 2.0 logic that this is an OpenID Connect request. ---------- Otherwise, an authorization request like "client_id=...&request(_uri)=..." fails if the request object represents an OIDC request. An authorization request has to look like "client_id=...&request(_uri)=...&scope=openid" (`scope` including `openid` has to be given) even if the authorization server conforms to JAR and allows omission of `response_type` request parameter. I think that implementers want to know consensus on this because it affects implementations. Has this been discussed yet? Best Regards, Takahiko Kawasaki Authlete, Inc.
- [OAUTH-WG] [JAR] scope parameter outside request … Takahiko Kawasaki
- Re: [OAUTH-WG] [JAR] scope parameter outside requ… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [JAR] scope parameter outside requ… Takahiko Kawasaki
- Re: [OAUTH-WG] [JAR] scope parameter outside requ… Justin Richer
- Re: [OAUTH-WG] [JAR] scope parameter outside requ… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [JAR] scope parameter outside requ… Takahiko Kawasaki
- Re: [OAUTH-WG] [JAR] scope parameter outside requ… Takahiko Kawasaki
- Re: [OAUTH-WG] [JAR] scope parameter outside requ… Takahiko Kawasaki