Scopes Object should be optional?

[dwhieb]

The Security Scheme Object lists the Scopes Object as required. However, the OAuth 2.0 specification for the Access Token Scope allows the client to omit the scope parameter, as long as a default behavior is specified:

If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope. The authorization server SHOULD document its scope requirements and default value (if defined).

In other places in the spec, the scope parameter is explicitly stated as optional.

Does this mean that the Scopes Object should be optional too? Or allowed to be empty?

I'm wondering because I'm implementing an API with the Implicit grant flow where there's only one scope. Since there's just the one, I didn't want to have to declare it explicitly.

[webron]

You can leave it empty, but that means none is required.

[dwhieb]

Great - that's exactly what I was hoping for.

Follow-up question though: For the Security Requirement Object, the spec says:

If the security scheme is of type "oauth2", then the value is a list of scope names required for the execution.

I assume the array can just be left empty too?

[webron]

Yup.

[dwhieb]

Awesome - thanks @webron!

[tedepstein]

@webron , would you mind reopening this issue? I'm submitting a PR to clarify that this usage is allowed. The spec is ambiguous or maybe misleading IMO, and we tripped over this in our implementation.

The OAuth Flow Object says that the scopes map is REQUIRED, and doesn't specify any meaning for an empty object value. We took this to mean that scopes is required to be present AND non-empty, otherwise an empty value would seem to be circumventing the intention of the spec.

Likewise, Security Requirement Object says:

If the security scheme is of type "oauth2" or "openIdConnect", then the value is a list of scope names required for the execution. For other security scheme types, the array MUST be empty.

It doesn't explicitly disallow an empty list for an OAuth security requirement, but taken in context, it's easy to assume, mistakenly, that the scopes array must be non-empty.

[webron]

@tedepstein that's fair for clarification, but there's no reason to reopen a ticket from 2015. I see you referenced the issue from the PR itself, and that should suffice.

[tedepstein]

@webron, OK. :-)