Clarify [non-]validation of openIdConnect scopes

[tedepstein]

Hoping someone can confirm what the spec says, and implies, about the scopes array in the Security Requirement Object:

• In Security Scheme Object, flows only applies to oauth2 security schemes.
  
  
  • Implies that openIdConnect and other security schemes MUST NOT have a flows property.
    
    
• In Security Requirement Object, "If the security scheme is of type oauth2 or openIdConnect, then the value is a list of scope names required for the execution." So it's implied that:
  
  
  • If the security scheme is of type "oauth2", each scope in the array MUST correspond to a scope declared in one or more OAuth Flows.
    
    
  • If the security scheme is of type "openIdConnect", each scope in the array SHOULD somehow be a meaningful scope or role as defined in the OIDC implementation, but there is no prescribed, deterministic way to verify this. So effectively, any string is allowed in this array.

Is that right?

[handrews]

Given that it's very easy to get people to tell you that you're wrong on the internet, and that it's been five years with this stuff in production and no further questions (or exlcamations of wrong-ness) have come up, I'm going to guess that "yeah that's right" and in practice it has not been a concern. Please feel free to re-file this if it's still a problem!