From section 3.1.2.1 of the OpenID Connect Core...

scope
   REQUIRED. OpenID Connect requests MUST contain theopenidscope value.
   *If the****openid****scope value is not present, the behavior is
   entirely unspecified.* Other scope values MAY be present. Scope
   values used that are not understood by an implementation SHOULD be
   ignored. See Sections5.4
   <http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims>and11
   <http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess>for
   additional scope values defined by this specification.

In this light, there is no specification that covers the behavior of the AS given the authorization request you provided.


At least that is my reading of the specs.

Thanks,
George

On 6/26/17 1:59 PM, Takahiko Kawasaki wrote:
Thank you. Please let me ask a simplified question.

If an authorization server returns this response (including id_token):
HTTP/1.1 302 Found Location: https://client.example.org/cb# access_token=SlAV32hkKG &token_type=bearer &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso &expires_in=3600 &state=af0ifjsldkj
when it receives this request (without scope=openid):
   GET /authorize?
     response_type=id_token%20token
     &client_id=s6BhdRkqt3
     &redirect_uri=https%3A%2F%2Fclient.example.org 
<http://2Fclient.example.org>%2Fcb
     &state=af0ifjsldkj HTTP/1.1
   Host:server.example.com <http://server.example.com>
, is the implementation of the authorization server correct?

Best Regards,
Takahiko Kawasaki


2017-06-26 21:53 GMT+09:00 Philippe Signoret <[email protected] <mailto:[email protected]>>:

    None of the examples in that spec are _/OpenID Connect/_
    authentication requests. They are, however, valid _/OAuth 2.0//_/
    authorization requests. The one in question demonstrates use of
    the response_mode=id_token, as defined in the realm of OAuth 2.0.
    If (and only if) it had scope=openid, _/then/_ it would become an
    OpenID Connect auth request, and the OpenID Connect specs would
    apply.

    In other words, the fact that id_token is in the response_type
    does _/not//_ /automatically make it an OpenID Connect request.

    Another way of seeing it is that the OAuth 2.0 Multiple Response
    Type Encoding spec is laying some foundations, as part of the
    OAuth 2.0 framework, upon which OpenID Connect is then built.

    In Section 11.3. OAuth Authorization Endpoint Response Types
    Registry <https://tools.ietf.org/html/rfc6749#section-11.3>, the
    OAuth 2.0 spec (RFC 6749) defines a registry of response types:

       This specification establishes the OAuth Authorization Endpoint

       Response Types registry.

    Then, in Section 3, ID Token Response Type
    
<http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#id_token>,
    OAuth 2.0 Multiple Response Types registers “id_token” as a
    response type in that same registry:

    This section registers a new Response Type, theid_token, in
    accordance with the stipulations in the OAuth 2.0 specification,
    Section 8.4. The intended purpose of theid_tokenis that it MUST
    provide an assertion of the identity of the Resource Owner as
    understood by the Authorization Server. The assertion MUST specify
    a targeted audience, e.g. the requesting Client. However, the
    specific semantics of the assertion and how it can be validated
    are not specified in this document.

    Finally, on that OAuth 2.0 foundation, the OpenID Connect spec
    defines (amongst other things) that including “scope=openid” is
    how the client indicates that this is an OpenID Connect request,
    makes use of the previously registered Response Type “id_token”
    (in some flows—other flows don’t use the “id_token” response
    type), and proceeds to specify the format and contents of the ID
    Token:

    OpenID Connect implements authentication as an extension to the
    OAuth 2.0 authorization process. Use of this extension is
    requested by Clients by including theopenidscope value in the
    Authorization Request. Information about the authentication
    performed is returned in a*JSON Web Token (JWT)*
    <http://openid.net/specs/openid-connect-core-1_0.html#JWT>[JWT]
    called an ID Token (see*Section 2*
    <http://openid.net/specs/openid-connect-core-1_0.html#IDToken>).

    Philippe

    *From:*Takahiko Kawasaki [mailto:[email protected]
    <mailto:[email protected]>]
    *Sent:* Monday, June 26, 2017 2:17 PM
    *To:* Philippe Signoret <[email protected]
    <mailto:[email protected]>>
    *Cc:* [email protected] <mailto:[email protected]>
    *Subject:* Re: [OAUTH-WG] Example in OAuth 2.0 Multiple Response
    Type Encoding Practices

    The response_type of the example includes id_token and it is the
    reason I've brought it up. id_token triggers Authentication Request.

    # The response_type in the example in Appendix A
    
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Foauth-v2-multiple-response-types-1_0.html%23FragmentExample&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C092adcaef9954edf8e3208d4bc8d2fba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340761951990482&sdata=mRz8ViYA0cYXXO4iVw1vAgO4Xejh%2FDcxYegTfdeOSBw%3D&reserved=0>
    does not include id_token and so I've not mentioned it.

    Best,

    Taka

    2017-06-26 17:09 GMT+09:00 Philippe Signoret
    <[email protected]
    <mailto:[email protected]>>:

        scope=openidis required for OpenID Connect Authentication
        Requests (e.g. "3.3.2.1. Authentication Request
        
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23HybridAuthRequest&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=HO6gAigTdBjgxOhsS41bKLbbl1cUyUugvXBjJ4hwmKE%3D&reserved=0>"
        in "OpenID Connect Core 1.0
        
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=FrFLKpyHVfZbRw1OsOs7QH%2F2bSrJbJluKnny0X%2FiJxw%3D&reserved=0>"),
        but not for an OAuth 2.0 Authorization Request (e.g. "4.1.1.
        Authorization Request
        
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc6749%23section-4.1.1&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C092adcaef9954edf8e3208d4bc8d2fba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340761952000490&sdata=%2FHh3%2BtauyK%2F03OVtSOX7p8XpidnT%2FPGHq8cwvl07vwg%3D&reserved=0>"
        in "RFC6749 The OAuth 2.0 Authorization Framework
        
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc6749&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C092adcaef9954edf8e3208d4bc8d2fba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340761952000490&sdata=a0%2BsS06wPx%2FxzxKc6z7pBXnQ0p4V7yciycZ%2F6uKJ2SU%3D&reserved=0>").

        OpenID Connect is “an identity layer on top of the OAuth 2.0
        protocol”. OpenID Connect specs will often refer to aspects of
        the OAuth 2.0 protocol, but the OAuth 2.0 specs will generally
        not refer to the OpenID Connect constructs. (Because OpenID
        Connect is a specific case of OAuth 2.0.)

        Philippe

        *From:*OAuth [mailto:[email protected]
        <mailto:[email protected]>] *On Behalf Of *Takahiko Kawasaki
        *Sent:* Monday, June 26, 2017 7:46 AM
        *To:* [email protected] <mailto:[email protected]>
        *Subject:* [OAUTH-WG] Example in OAuth 2.0 Multiple Response
        Type Encoding Practices

        Hello,

        I'm not so sure that this is the right place to ask, but I'm
        wondering whether it is correct or not that the following
        non-normative example found in "5. Definitions of Multi-Valued
        Response Type Combinations
        
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Foauth-v2-multiple-response-types-1_0.html%23Combinations&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=A2%2F5R%2FFDSMUN8lthoex%2BAnF3h%2FouQHjXBPhW3Yv5D7M%3D&reserved=0>"
        in "OAuth 2.0 Multiple Response Type Encoding Practices
        
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Foauth-v2-multiple-response-types-1_0.html&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=oax1ui3n46P2n67Mqx14t0458TZjrcw9IUsdCoGsmho%3D&reserved=0>"
        does not include "scope=openid".

          GET /authorize?

            response_type=id_token%20token

            &client_id=s6BhdRkqt3

            &redirect_uri=https%3A%2F%2Fclient.example.org
        
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2F2Fclient.example.org&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=%2BaCAvhV9qt75Cqajdrr84BVG6MRS3747Ux5CsjJtgQE%3D&reserved=0>%2Fcb

            &state=af0ifjsldkj HTTP/1.1

          Host: server.example.com
        
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fserver.example.com&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=PoXzHooKqVnYx4pzWD%2B4THUElRZjsUC2TNdMlTrhfiY%3D&reserved=0>

        The reason I'm wondering is that "3.3.2.1. Authentication
        Request
        
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23HybridAuthRequest&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=HO6gAigTdBjgxOhsS41bKLbbl1cUyUugvXBjJ4hwmKE%3D&reserved=0>"
        in "OpenID Connect Core 1.0
        
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=FrFLKpyHVfZbRw1OsOs7QH%2F2bSrJbJluKnny0X%2FiJxw%3D&reserved=0>"
        requires Authentication Requests be made as defined in
        "3.1.2.1. Authentication Request
        
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23AuthRequest&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=WoKMDXrFJDmvaGHGY8ry8Nn7iG5qliNjqNw8UamnHHg%3D&reserved=0>"
        and "3.1.2.1" requires the scope request parameter contain openid.

        Best Regards,

        Takahiko Kawasaki

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to