Archived 2023.08.11. Content moved to Guidance on scopes.
Question
The CDR Support Portal knowledge article Mandatory Scopes Request suggests that at least one scope must be defined: openid
.
Can a Data Holder (DH) reject a request from Accredited Data Recipient (ADR) which does not have any data scopes defined?
Answer
The article Expected behaviour for scopes presented by an ADR to a DH discusses how to deal with various situations involving scopes. The final paragraph specifically states that a DH must reject a request that contains no scopes supported by the DH. A request with no scopes at all should be rejected on this basis.
A request with only the openid
scope should be accepted. While the request may not receive any shared data in response, the request could act as a test to check the authorisation response.
Comments
0 comments
Please sign in to leave a comment.