scopes_ supported
Registry Context
A recommended authorization server metadata member listing OAuth 2.0 scope values supported by the server. The server may advertise only a subset of its supported scopes. If the array would contain no elements, the member must be omitted.
Technical Summary
`scopes_supported` is a JSON array of OAuth 2.0 `scope` values supported by the authorization server. Its inclusion is RECOMMENDED. A server MAY omit some supported scope values from the advertised list, and an empty array MUST be omitted from the metadata response.
When Used
Used when publishing or validating OAuth 2.0 authorization server metadata containing supported scope information.
Normative Requirements
Authorization servers
RFC 8414 - Section 3.2
Omit `scopes_supported` from the metadata response when its array would contain zero elements..
Condition: When `scopes_supported` would otherwise be an empty JSON array.
"Claims with zero elements MUST be omitted from the response."
RFC 8414 - Section 2
Include `scopes_supported` as a JSON array containing OAuth 2.0 `scope` values that the authorization server supports..
Condition: When publishing authorization server metadata.
"RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] \"scope\" values that this authorization server supports."
RFC 8414 - Section 2
Omit some supported scope values from `scopes_supported`..
Condition: Even when the `scopes_supported` parameter is used.
"Servers MAY choose not to advertise some supported scope values even when this parameter is used."
Validation Guidance
Allow `scopes_supported` to be absent; its inclusion is recommended but not required.
Do not report an error merely because the advertised scopes appear to be a subset of those supported by the authorization server.
Report an empty `scopes_supported` array as an error; the member must be omitted instead.
Reference
Details
- Entry Id
scopes_supported - Metadata Name
scopes_supported - Metadata Description
JSON array containing a list of the OAuth 2.0 "scope" values that this authorization server supports- Change Controller
IESG- Reference
RFC8414 - Section 2