Re: [OAUTH-WG] [JAR] scope parameter outside request object of OIDC request

Vladimir Dzhuvinov <> Mon, 21 September 2020 20:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C0C6B3A09C4 for <>; Mon, 21 Sep 2020 13:59:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id V3w3DbqFKUEL for <>; Mon, 21 Sep 2020 13:59:27 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5CB5B3A09B7 for <>; Mon, 21 Sep 2020 13:59:27 -0700 (PDT)
Received: from [] ([]) by :SMTPAUTH: with ESMTPSA id KSuCk8PCEInvDKSuDka2Vu; Mon, 21 Sep 2020 13:59:26 -0700
X-CMAE-Analysis: v=2.3 cv=LpLsNUVc c=1 sm=1 tr=0 a=dqIGGK8WkwP9YsiiukqjPw==:117 a=dqIGGK8WkwP9YsiiukqjPw==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=48vgC7mUAAAA:8 a=8u0s53YARhXEXwQHUz8A:9 a=QEXdDO2ut3YA:10 a=pGLkceISAAAA:8 a=jbDTkXzkSxv5gPYADOcA:9 a=EMbSelBKFpqyUJPX:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=w1C3t2QeGrPiZgrLijVG:22
References: <>
From: Vladimir Dzhuvinov <>
Autocrypt:; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd
X-Enigmail-Draft-Status: N11100
Organization: Connect2id Ltd.
Message-ID: <>
Date: Mon, 21 Sep 2020 23:59:24 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms080100070105000502060209"
X-CMAE-Envelope: MS4wfFphsQEeop2TTUF/Gq3sjN9tfB7QSnFlogUnGImhTwaRfYW7HhTJNlCvkV8QpTWIT27q8Un7kC73kV8FjHw7P5Pmng9XKsrmtPslFSDFJMUqwLMt04tY LyHfCHQY+UXly3GGu5/uW/2fe4G1o/ny8qORIHSRvBFR+3bn1wS786X/
Archived-At: <>
Subject: Re: [OAUTH-WG] [JAR] scope parameter outside request object of OIDC request
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 21 Sep 2020 20:59:29 -0000

Hi Taka,

On 21/09/2020 20:12, Takahiko Kawasaki wrote:
> If we allow JAR (JWT Secured Authorization Request) to relax the
> requirement of `response_type` request parameter (outside a request
> object) from mandatory to optional, should we relax the following
> requirement of `scope` request parameter stated in OIDC Core 1.0
> Section 6.1, too?
> ----------
> Even if a scope parameter is present in the Request Object value, a
> scope parameter MUST always be passed using the OAuth 2.0 request
> syntax containing the openid scope value to indicate to the underlying
> OAuth 2.0 logic that this is an OpenID Connect request.
> ----------
> Otherwise, an authorization request like
> "client_id=...&request(_uri)=..." fails if the request object
> represents an OIDC request. An authorization request has to look like
> "client_id=...&request(_uri)=...&scope=openid" (`scope` including
> `openid` has to be given) even if the authorization server conforms to
> JAR and allows omission of `response_type` request parameter.

The bottom of section 5 has normative text which allows a JAR compliant
server to also comply with the OIDC spec with its own style of request /
request_uri parameter handling insofar as to not reject other query
params (such as scope, etc). The difference is that according to JAR
their values cannot be used or merged (as in OIDC). But what can be
reasonably done is to detect scope=openid as you say and then switch to
OIDC style request object behavior.

>    The client MAY send the parameters included in the request object
>    duplicated in the query parameters as well for the backward
>    compatibility etc.  However, the authorization server supporting this
>    specification MUST only use the parameters included in the request
>    object.

The confusion between the two specs clears when it's seen that the
request objects in OIDC and JAR have different objectives.

In OIDC the objective is to enable securing of selected parameters.

In JAR the objective is to secure the entire authz request.

> I think that implementers want to know consensus on this because it
> affects implementations. Has this been discussed yet?
> Best Regards,
> Takahiko Kawasaki
> Authlete, Inc.