Scope in relation to OIDC - Githubissues

oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs

https://oauth.net/2.1/

Other

53 stars 27 forks source link

Scope in relation to OIDC #163

Closed arukiidou closed 6 months ago

arukiidou commented 1 year ago

relates #151

Summary of proposal

Add the following description to https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-09#access-token-scope

The authorization server SHOULD NOT define different content with the same scope name as an OIDC defined claim, even if it does not implement the OIDC specification.

Why?

Interoperability with OIDC specifications as much as possible
If client could implicitly expect the request content from the scope name, do not mislead

Example

✅Its OK.

scope	description
openid	REQUIRED. for all OpenID Connect OAuth2 requests.
profile	OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
email	OPTIONAL. This scope value requests access to the email and email_verified Claims.
address	OPTIONAL. This scope value requests access to the address Claim.
phone	OPTIONAL. This scope value requests access to the phone_number and phone_number_verified Claims.

✅not OIDC, but Its also OK( as OAuth2.1).

Not having a scope defined in the OIDC specification is permitted.

scope	description
profile	OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
address	OPTIONAL. This scope value requests access to the address Claim.

✅not OIDC, but Its also OK( as OAuth2.1).

scope	description
profile	OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
read_registry	OPTIONAL. This scope value requests access to the package registry.

❌ SHOULD NOT - Do not attempt to request access to an email claim by informing the client of the address scope

scope	description
profile	OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
address	OPTIONAL. This scope value requests access to the email-address Claim.

References: OpenID Connect Core 1.0 Spec

https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims

aaronpk commented 6 months ago

As discussed in the May 14 interim:

Resolved to adding a mention of OpenID scopes, and language that (lowercase) recommends not defining conflicting scopes. However, OpenID is not the only OAuth extension that defines scopes. People were not comfortable with "SHOULD NOT" language restricting defining scopes with meanings in other specs that are not implemented by the AS, as that's impossible to comply with.