From ec00ff154ac5c7486114577309d39ac166dd4fc8 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Mon, 7 Oct 2024 16:25:19 +0200 Subject: [PATCH 1/4] error_response_missing_openid_scope --- documentation/CAMARA-Security-Interoperability.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/CAMARA-Security-Interoperability.md b/documentation/CAMARA-Security-Interoperability.md index 7744060..cfe3733 100644 --- a/documentation/CAMARA-Security-Interoperability.md +++ b/documentation/CAMARA-Security-Interoperability.md @@ -203,7 +203,7 @@ This document defines that the authentication server SHOULD not return an id tok This document defines the following error handling for a missing "openid" value in scope. Please refer to [Authentication Error Response](https://openid.net/specs/openid-connect-core-1_0.html#AuthError). -If "openid" is missing in the scope value but a claim that is [standardized in OIDC](https://openid.net/specs/openid-connect-core-1_0.html#Claims) is requested, then the Authorization Server returns an HTTP response code of 400 (Bad Request) and an error invalid_request. +If "openid" is missing in the scope value but a claim that is [standardized in OIDC](https://openid.net/specs/openid-connect-core-1_0.html#Claims) is requested, then the Authorization Server returns an error `invalid_request`. Clients SHOULD follow the OIDC and CIBA standard and SHOULD include `openid` in the list of requested scopes. The [id token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) contains the `sub` field which is the identifier of the subject of the [OIDC authorization code](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) request respectively the [CIBA authentication request](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_request). From 41ffacb132ee054ab7b7b0613faab822723927c5 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Wed, 9 Oct 2024 10:00:32 +0200 Subject: [PATCH 2/4] reference CIBA --- documentation/CAMARA-Security-Interoperability.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/documentation/CAMARA-Security-Interoperability.md b/documentation/CAMARA-Security-Interoperability.md index cfe3733..8e7cd7d 100644 --- a/documentation/CAMARA-Security-Interoperability.md +++ b/documentation/CAMARA-Security-Interoperability.md @@ -195,16 +195,19 @@ Therefore scopes should be available to API implementations. ## Missing "openid" scope -[OIDC Core Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) states the following about the value of scope. +[OIDC Connect Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) states the following about the value of scope. > REQUIRED. OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. ... This document defines that the authentication server SHOULD not return an id token if `openid` is missing in the scope parameter. This document defines the following error handling for a missing "openid" value in scope. -Please refer to [Authentication Error Response](https://openid.net/specs/openid-connect-core-1_0.html#AuthError). +For OIDC please refer to [OIDC Authentication Error Response](https://openid.net/specs/openid-connect-core-1_0.html#AuthError). If "openid" is missing in the scope value but a claim that is [standardized in OIDC](https://openid.net/specs/openid-connect-core-1_0.html#Claims) is requested, then the Authorization Server returns an error `invalid_request`. +For CIBA please refer to [CIBA Authentication Error Response](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_error_response). +If "openid" is missing in the scope value but a claim that is standardized in OIDC, then the Authorization Server returns an error `invalid_request` with an HTTP status code of 400 BAD_REQUEST. + Clients SHOULD follow the OIDC and CIBA standard and SHOULD include `openid` in the list of requested scopes. The [id token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) contains the `sub` field which is the identifier of the subject of the [OIDC authorization code](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) request respectively the [CIBA authentication request](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_request). From ab7010d188b52e59e6db7d4e167785f77d3b101e Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Wed, 9 Oct 2024 16:07:15 +0200 Subject: [PATCH 3/4] Update documentation/CAMARA-Security-Interoperability.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jesús Peña García-Oliva --- documentation/CAMARA-Security-Interoperability.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/CAMARA-Security-Interoperability.md b/documentation/CAMARA-Security-Interoperability.md index 8e7cd7d..a31a3a6 100644 --- a/documentation/CAMARA-Security-Interoperability.md +++ b/documentation/CAMARA-Security-Interoperability.md @@ -195,7 +195,7 @@ Therefore scopes should be available to API implementations. ## Missing "openid" scope -[OIDC Connect Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) states the following about the value of scope. +[OpenID Connect Core Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) states the following about the value of scope. > REQUIRED. OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. ... This document defines that the authentication server SHOULD not return an id token if `openid` is missing in the scope parameter. From 820589d2f02eab79db693a2609a19e0c1a099899 Mon Sep 17 00:00:00 2001 From: Axel Nennker Date: Thu, 10 Oct 2024 16:09:15 +0200 Subject: [PATCH 4/4] Update documentation/CAMARA-Security-Interoperability.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jesús Peña García-Oliva --- documentation/CAMARA-Security-Interoperability.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/CAMARA-Security-Interoperability.md b/documentation/CAMARA-Security-Interoperability.md index a31a3a6..49b3d9c 100644 --- a/documentation/CAMARA-Security-Interoperability.md +++ b/documentation/CAMARA-Security-Interoperability.md @@ -203,10 +203,10 @@ This document defines that the authentication server SHOULD not return an id tok This document defines the following error handling for a missing "openid" value in scope. For OIDC please refer to [OIDC Authentication Error Response](https://openid.net/specs/openid-connect-core-1_0.html#AuthError). -If "openid" is missing in the scope value but a claim that is [standardized in OIDC](https://openid.net/specs/openid-connect-core-1_0.html#Claims) is requested, then the Authorization Server returns an error `invalid_request`. +If "openid" is missing in the scope value but a claim that is [standardized in OIDC](https://openid.net/specs/openid-connect-core-1_0.html#Claims) is requested, then the Authorization Server returns an `invalid_request` error code. For CIBA please refer to [CIBA Authentication Error Response](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_error_response). -If "openid" is missing in the scope value but a claim that is standardized in OIDC, then the Authorization Server returns an error `invalid_request` with an HTTP status code of 400 BAD_REQUEST. +If "openid" is missing in the scope value but a claim that is standardized in OIDC, then the Authorization Server returns an HTTP 400 Bad request response with an `invalid_request` error code. Clients SHOULD follow the OIDC and CIBA standard and SHOULD include `openid` in the list of requested scopes. The [id token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) contains the `sub` field which is the identifier of the subject of the [OIDC authorization code](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) request respectively the [CIBA authentication request](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_request).