Originally submitted by Takahiko Kawasaki (Takahiko Kawasaki) on 2025-04-25
In OpenID Connect Native SSO for Mobile Apps 1.0 draft 07, Section 4.1. OAuth2 Token Exchange Profile, the scope request parameter is defined as follows:
scope
OPTIONAL. The scopes required by the requesting native application. When present, it MUST include the openid scope value as one of the provided values.
However, since RFC 6749 The OAuth 2.0 Authorization Framework, Section 3.3 Access Token Scope states the following, some authorization server implementations may apply a default scope set when the scope parameter is omitted.
If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope.
Let’s suppose the default scope set is resolved to ["scope1", "scope2"], and openid is not included. Under the current Native SSO specification, this does not result in an error—because the openid scope is only required when the scope parameter is explicitly specified. Whether the openid scope is required or not depends on whether the scope parameter is explicitly provided or defaults are applied. This behavior is inconsistent.
I believe the description of the scope parameter should be modified so that either the openid scope is required in both cases — whether the scope parameter is explicitly specified or the default scope set is applied — or the openid scope is not required at all.
Frankly speaking, I don't quite understand why the access token issued through token exchange must have the openid scope. While I can imagine that it might be because the access token and refresh token are tied to the user's authentication session, I don't see the technical necessity for it.
Bitbucket status: new
Bitbucket origin: issue 2178
In OpenID Connect Native SSO for Mobile Apps 1.0 draft 07, Section 4.1. OAuth2 Token Exchange Profile, the
scoperequest parameter is defined as follows:However, since RFC 6749 The OAuth 2.0 Authorization Framework, Section 3.3 Access Token Scope states the following, some authorization server implementations may apply a default scope set when the
scopeparameter is omitted.Let’s suppose the default scope set is resolved to
["scope1", "scope2"], andopenidis not included. Under the current Native SSO specification, this does not result in an error—because theopenidscope is only required when thescopeparameter is explicitly specified. Whether theopenidscope is required or not depends on whether thescopeparameter is explicitly provided or defaults are applied. This behavior is inconsistent.I believe the description of the
scopeparameter should be modified so that either theopenidscope is required in both cases — whether thescopeparameter is explicitly specified or the default scope set is applied — or theopenidscope is not required at all.Frankly speaking, I don't quite understand why the access token issued through token exchange must have the
openidscope. While I can imagine that it might be because the access token and refresh token are tied to the user's authentication session, I don't see the technical necessity for it.Bitbucket status: new
Bitbucket origin: issue 2178