Stream: bulk data
Topic: Can an auth server allow requests with no scope?
Lee Surprenant (Sep 15 2021 at 16:36):
inferno Auth-11: Token endpoint requires scope claims that the server should reject requests to the token endpoint that do not specify a scope.
In my opinion, the bulk data spec requirement around supplying scope is really a requirement on the client.
A server should be allowed to grant some set of default scopes even if the client has not explicitly requested them.
I think this test should be removed from the suite.
Vladimir Ignatov (Sep 15 2021 at 16:39):
To clarify, the test is intentionally omitting the scope parameter and expects the server to reply with an error instead of granting a "default scope".
Lee Surprenant (Jan 11 2022 at 20:16):
Our implementation is still failing this inferno test. Is there anything we can do to help move this one forward? Maybe open an issue on the inferno-community and/or bdt repos?
Dan Gottlieb (Jan 11 2022 at 22:29):
That makes sense to me, but scope is a required request parameter in the IG. @Josh Mandel is it valid to allow an empty string for scope in a backend services request (or in an app launch request for that matter)?
Josh Mandel (Jan 11 2022 at 22:48):
A server should be allowed to grant some set of default scopes even if the client has not explicitly requested them.
We had this discussion for SMART App Launch and FHIR-32221 documents our choices (and what we chose not to say). Generally speaking: we want clients to request the scopes they need, but servers ultimately use this as one (of potentially many) inputs into the decision about what scopes to grant.
Josh Mandel (Jan 11 2022 at 22:48):
Trivially I believe that a client providing a scope parameter with an empty value meets the letter of our current spec.
Dan Gottlieb (Jan 11 2022 at 22:50):
So test "Auth-11: The server should reject requests to the token endpoint that do not specify a scope" is valid, but test "Auth-12: The server should reject requests to the token endpoint that are requesting an empty scope" is not?
Josh Mandel (Jan 11 2022 at 23:07):
I think that'd be my technical reading; and I don't hate that too much.
Lee Surprenant (Jan 12 2022 at 00:21):
i don't have any issue saying clients SHALL pass scopes. but thats a little different than saying servers SHALL reject clients that don't.
here inferno is acting as the client and violating this part of the spec, but since we're outside the spec anyway, I think our server should be allowed to assign some default scopes (or no scopes at all) instead of being forced to reject the request
so i disagree that Auth-11 is a valid (or useful) test
Dan Gottlieb (Jan 12 2022 at 16:19):
Fair point, seems reasonable to treat it as a requirement on the client to provide, but not on the sever to require.
Last updated: Apr 12 2022 at 19:14 UTC
