scope
Registry Context
In OAuth 2.0 Dynamic Client Registration, `scope` identifies the space-separated scope values that a client can use when requesting access tokens. The metadata field is optional, and the authorization server may assign a default set of scopes when it is omitted.
Technical Summary
RFC 7591 defines `scope` as a JSON string containing a space-separated list of scope values as described by RFC 6749 Section 3.3. Scope semantics are service-specific. If the field is omitted, the authorization server may register the client with default scopes.
When Used
When dynamically registering a client to request particular access-token scopes, or when an authorization server assigns default scopes.
Normative Requirements
Authorization servers
RFC 7591 - Section 2
Ignore `scope` metadata that it does not understand..
Condition: When the authorization server does not understand the metadata field.
The authorization server MUST ignore any client metadata sent by the client that it does not understand.
RFC 7591 - Section 2
Give the `scope` claim in a software statement precedence over the `scope` value in the registration request..
Condition: When `scope` is present in both locations and the authorization server trusts the software statement.
If the same client metadata name is present in both locations and the software statement is trusted by the authorization server, the value of a claim in the software statement MUST take precedence.
RFC 7591 - Section 2
Register the client with a default set of scopes..
Condition: When `scope` is omitted.
If omitted, an authorization server MAY register a client with a default set of scopes.
RFC 7591 - Section 2
Reject a requested `scope` value by replacing it with a suitable default or returning an error response..
Condition: When processing a requested client metadata value.
The authorization server MAY reject any requested client metadata values by replacing requested values with suitable defaults or by returning an error response.
Implementations
RFC 7591 - Section 2
Implement and use the `scope` client metadata field..
Condition: Unless stated otherwise by an applicable specification.
The implementation and use of all client metadata fields is OPTIONAL, unless stated otherwise.
Validation Guidance
Allow `scope` to be absent from client metadata.
When present, verify that `scope` is a JSON string containing a space-separated list of scope values.
Do not treat omission of `scope` as invalid; the authorization server may assign default scopes.
If the authorization server does not understand `scope`, ignore it rather than failing solely because it is unrecognized.
Permit the authorization server to replace an unacceptable requested `scope` value with a suitable default or return an error response.
When trusted software-statement and registration-request values for `scope` conflict, use the software-statement value.
Reference
Details
- Entry Id
scope- Client Metadata Name
scope- Client Metadata Description
Space-separated list of OAuth 2.0 scope values- Change Controller
IESG- Reference
RFC7591