As noted in https://github.com/mozilla/fxa-oauth-server/issues/515, untrusted reliers currently can't request the openid scope, and hence can't use the OIDC id_token flow. I don't see any risk to allowing them to request it, since the id_token doesn't directly contain any profile information, they still have to request other scopes like profile:email in order to be able to access profile data.
As noted in https://github.com/mozilla/fxa-oauth-server/issues/515, untrusted reliers currently can't request the
openid
scope, and hence can't use the OIDC id_token flow. I don't see any risk to allowing them to request it, since the id_token doesn't directly contain any profile information, they still have to request other scopes likeprofile:email
in order to be able to access profile data.@vbudhram r?