OAuth Scope Validation

Overview #

OAuth Scope Validation process MUST be performed on all OAuth Scope requests.

OAuth Scopes values that are used to request Claims and there is no guarantee that the Claims requested will be returned. The Authorization Server MAY deny some of the requested OAuth Scopes based on Authorization Policy or an the Resource Owner (End-User) MAY be given the option to have the OpenID Connect Provider decline to provide some or all information requested by a Relying Party. To minimize the amount of information that the Resource Owner is being asked to disclose, an Relying Party can elect to only request a subset of the information available.

The OAuth Client/Relying Party MUST validate the OAuth Scopes returned in the Access Token contains the necessary OAuth Scopes and the if the UserInfo Request claims match the UserInfo Response claims.

If the OAuth Client/Relying Party MUST have some scope NOT provided, the they should abort the process and provide an appropriate error.

For example, the user may have chosen to authenticate only, but not to provide access to the other OAuth Scopes or the Authorization Server MAY have denied access due to the Authorization Policy

More Information #

There might be more information for this subject on one of the following: