Authorization Code without openid scope returns ID token

[isegura-eos-eng]

I'm using version 3.30.0 in my server. Before this update I ran version 3.23.2. If I'm not mistaken, the previous implementation returned an error when requesting the authorization code without the openid scope. Now however, it happens two things that I'm not sure why:

• I cannot make the Auth Code request without the scope parameter.
• I can make the Auth Code request with any one valid scope (including custom) and it will always return the ID token, even if the openid scope is not included in the request.

The code is clear:

oidc/pkg/op/auth_request.go

Lines 268 to 286 in 3b64e79

	// ValidateAuthReqScopes validates the passed scopes and deletes any unsupported scopes.
	// An error is returned if scopes is empty.
	func ValidateAuthReqScopes(client Client, scopes []string) ([]string, error) {
	if len(scopes) == 0 {
	return nil, oidc.ErrInvalidRequest().
	WithDescription("The scope of your request is missing. Please ensure some scopes are requested. " +
	"If you have any questions, you may contact the administrator of the application.")
	}
	scopes = slices.DeleteFunc(scopes, func(scope string) bool {
	return !(scope == oidc.ScopeOpenID ||
	scope == oidc.ScopeProfile ||
	scope == oidc.ScopeEmail ||
	scope == oidc.ScopePhone ||
	scope == oidc.ScopeAddress ||
	scope == oidc.ScopeOfflineAccess) &&
	!client.IsScopeAllowed(scope)
	})
	return scopes, nil
	}

I would understand the first point if the server does only implement OIDC, however, as far as I know, this is done by enforcing the opeind scope, which it was the case before.

The second point is confusing to me. I guess that the server can send the ID token if it so pleases, but it feels wrong. From the spec's Introduction section:

OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process. Use of this extension is requested by Clients by including the openid scope value in the Authorization Request.

Is this an expected behaviour? If so, can I get some context of why is it implemented like this? I couldn't find any issue regarding this (maybe I didn't use the right keywords).