Question

A client registration validation requirement in the Consumer Data Standards states “From 31st August 2022, Data Holders MUST ignore unsupported authorisation scopes presented in the SSA for the creation and update of client registrations.” Considering this requirement, what happens in the scenario where no scopes presented in the SSA are supported by Data Holder Brand? Should the DH create a client with no scope?

Answer

In practice it is highly unlikely for such a scenario to occur. For example, if an ADR does not present the openid scope, then the Authorisation Server cannot perform the OIDC Hybrid Flow. However, an Authorisation Server should still issue a valid authorisation response even if no scopes are supported, provided that the ADR does not violate other aspects of the request like requiring openid for Hybrid Flow. It is also possible that an ADR may request only individual claims rather than any scopes for consumer data. See FAPI 1.0 Baseline profile for additional details.

Question

Does the DH register a client, in the scenario when Get SSA contains no scopes (empty string), not even openid and profile?

Answer

Yes, on the condition that this does not violate other client requirements. In practice this does not occur because the SSA includes openid if the ADR is using the Hybrid Flow, and also includes all accredited scopes.