oauth2.dev

scope

IESG

Registry Context

In OAuth 2.0 Dynamic Client Registration, `scope` identifies the space-separated scope values that a client can use when requesting access tokens. The metadata field is optional, and the authorization server may assign a default set of scopes when it is omitted.

Technical Summary

RFC 7591 defines `scope` as a JSON string containing a space-separated list of scope values as described by RFC 6749 Section 3.3. Scope semantics are service-specific. If the field is omitted, the authorization server may register the client with default scopes.

When Used

When dynamically registering a client to request particular access-token scopes, or when an authorization server assigns default scopes.

Normative Requirements

Authorization servers

MUST
2
  1. RFC 7591 - Section 2

    Ignore `scope` metadata that it does not understand..

    Condition: When the authorization server does not understand the metadata field.

    The authorization server MUST ignore any client metadata sent by the client that it does not understand.

  2. RFC 7591 - Section 2

    Give the `scope` claim in a software statement precedence over the `scope` value in the registration request..

    Condition: When `scope` is present in both locations and the authorization server trusts the software statement.

    If the same client metadata name is present in both locations and the software statement is trusted by the authorization server, the value of a claim in the software statement MUST take precedence.

MAY
2
  1. RFC 7591 - Section 2

    Register the client with a default set of scopes..

    Condition: When `scope` is omitted.

    If omitted, an authorization server MAY register a client with a default set of scopes.

  2. RFC 7591 - Section 2

    Reject a requested `scope` value by replacing it with a suitable default or returning an error response..

    Condition: When processing a requested client metadata value.

    The authorization server MAY reject any requested client metadata values by replacing requested values with suitable defaults or by returning an error response.

Implementations

OPTIONAL
1
  1. RFC 7591 - Section 2

    Implement and use the `scope` client metadata field..

    Condition: Unless stated otherwise by an applicable specification.

    The implementation and use of all client metadata fields is OPTIONAL, unless stated otherwise.

Validation Guidance

info

Allow `scope` to be absent from client metadata.

error

When present, verify that `scope` is a JSON string containing a space-separated list of scope values.

info

Do not treat omission of `scope` as invalid; the authorization server may assign default scopes.

error

If the authorization server does not understand `scope`, ignore it rather than failing solely because it is unrecognized.

info

Permit the authorization server to replace an unacceptable requested `scope` value with a suitable default or return an error response.

error

When trusted software-statement and registration-request values for `scope` conflict, use the software-statement value.

Reference

Details

Entry Id
scope
Client Metadata Name
scope
Client Metadata Description
Space-separated list of OAuth 2.0 scope values
Change Controller
IESG
Reference
RFC7591