Scope in relation to OIDC

[arukiidou]

• relates point implementers to OIDC in intro #151

Summary of proposal

Add the following description to https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-09#access-token-scope

The authorization server SHOULD NOT define different content with the same scope name as an OIDC defined claim, even if it does not implement the OIDC specification.

Why?

• Interoperability with OIDC specifications as much as possible
• If client could implicitly expect the request content from the scope name, do not mislead

Example

✅Its OK.

scope	description
openid	REQUIRED. for all OpenID Connect OAuth2 requests.
profile	OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
email	OPTIONAL. This scope value requests access to the email and email_verified Claims.
address	OPTIONAL. This scope value requests access to the address Claim.
phone	OPTIONAL. This scope value requests access to the phone_number and phone_number_verified Claims.

✅not OIDC, but Its also OK( as OAuth2.1).

Not having a scope defined in the OIDC specification is permitted.

scope	description
profile	OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
address	OPTIONAL. This scope value requests access to the address Claim.

✅not OIDC, but Its also OK( as OAuth2.1).

scope	description
profile	OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
read_registry	OPTIONAL. This scope value requests access to the package registry.

❌ SHOULD NOT - Do not attempt to request access to an email claim by informing the client of the address scope

scope	description
profile	OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
address	OPTIONAL. This scope value requests access to the email-address Claim.

References: OpenID Connect Core 1.0 Spec

https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims

[aaronpk]

As discussed in the May 14 interim:

Resolved to adding a mention of OpenID scopes, and language that (lowercase) recommends not defining conflicting scopes. However, OpenID is not the only OAuth extension that defines scopes. People were not comfortable with "SHOULD NOT" language restricting defining scopes with meanings in other specs that are not implemented by the AS, as that's impossible to comply with.