kdoyen
commented
6 years ago You are correct that it is a requirement of the specification to require openid scope when doing an authentication request which a proper OIDC Identity Provider should enforce.
For maximum flexibility/compatibility this library does not hardcode the openid scope.
The main reason for this behavior is that it allows users of this library the choice of wither or not their use case requires sending the openid scope.
I do agree that updating the documentation to better point out openid scope usage / requirement in the authentication example would be a good idea.
I will go ahead and make that change.
Hello
I am testing this library with keycloak and I got an issue as the code was failing with the exception User did not authorize openid scope. and this is because the keycloak server was not sending the id_token.
According to openid specs, chapter 3.1.2.1: "scope REQUIRED. OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified."
adding the scope openid made it works. As it is specified that this scope must be present, I'm wondering if it's not better to hardcode it in the authencation request. Or at least document it.
Best
kikkauz