Is there a requirement for the Data Holder (DH) to validate the scopes requested in an authorisation request?
A use case as an example:
If an ADR registers scope1 and scope2 with the DH during DCR. Later the ADR requests scope1 and scope3 be included in an authorisation request for the client.
Then should the DH:
- reject the authorisation request altogether,
- include both scope1 and scope3 in the authorisation request, or
- include only the originally registered scope 1 in the authorisation request?
The Data Holder must validate for all scopes within the authorisation requests received. The SSA represents a whitelist of scopes supported for a given client.
OIDC Core requirements outlines the scope validation required for an authorisation request.
The Consumer Data Standards refer to normative references which define these requirements.