1

Should an Open Banking authorization server reject or accept GET /token or /register endpoint requests with a NULL SCOPE?

When looking at the specs it is clear that the SCOPE is not mandatory, however on the registration, scopes are validated against the content of the certificate used. Without authorising a specific scope I would expect an increased risk of misuse/security issues within an immature server system where validation routines could be in their infancy.

Am I being paranoid? Is there valid scenarios where machine-to-machine authorisation is totally relevant without the use of SCOPE?

Martin Sansone - MiOEE
  • 4,281
  • 1
  • 29
  • 31

1 Answers1

1

Scopes are the functionality, which is going to be used by the client app. So if no scopes provided the token can be issued, but it can't be used for anything. I think if you are implementing the server side, you'd reject every call made with token like this (if allowing null scope at all).

But since you want to validate scopes agains the roles in the client app's certificate it would make sense to reject "make token" and/or "registration" requests in case one of the scopes is not allowed by the certificate of none of the requested scopes match with roles from the certificate.

Also take into account that Open Banking UK is based on the OpenID Connect spec and there "openid" scope is required: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

Fedor
  • 1,392
  • 1
  • 17
  • 30