OIDC dynamic registration and requested scopes

Henri Mikkonen henri.mikkonen at csc.fi
Thu Apr 30 13:46:17 EDT 2020

Hi Keith,

> On 30 Apr 2020, at 5.59, Wessel, Keith <kwessel at illinois.edu> wrote:
> Thanks, Scott. That's useful. OIDC extension developers, have you all had any thoughts on how you might address this in the short or long term?

The OIDC client registration spec [1] doesn’t even mention scope to be part of the registration request/response exchange, but the spec also allows OP to ignore any fields that it recognizes. Anyway, it sounds like it would be ok for clients to request any scope values that are a subset of the default scope, which is already configurable via property.

This is related to supporting bearer access tokens in this endpoint, see JOIDC-8 [2] and the referenced GitHub issue. The scope could be encoded inside those access tokens, value being decided by the admin who issues the access token. The details and schedule of the feature are still wide open, so now it’s good time to share any thoughts regarding it.


[1] https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata <https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata>
[2] https://issues.shibboleth.net/jira/projects/JOIDC/issues/JOIDC-8 <https://issues.shibboleth.net/jira/projects/JOIDC/issues/JOIDC-8>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200430/3280930e/attachment.html>

More information about the users mailing list