[Openid-specs-ab] Update to the prompt-create spec
George Fletcher
gffletch at aol.com
Wed Sep 8 16:40:33 UTC 2021
Hi,
I've addressed the issues filed for the prompt=create spec. An update
txt version of the spec is attached. The latest version is also checked
into the main branch. Issues addressed include...
#1193, #1192, #1191, #1190, #1189, #1188
Comments/feedback greatly appreciated!
Thanks,
George
-------------- next part --------------
GFF. Fletcher
Verizon Media
September 8, 2021
Initiating User Registration via OpenID Connect - draft 04
openid-connect-prompt-create-1_0
Abstract
An extension to the OpenID Connect Authentication Framework defining
a new value for the "prompt" parameter that instructs the OpenID
Provider to start the user flow with user registration and after the
user account has been created return an authorization code to the
client to complete the authentication flow.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 1
2. Requirements Notation and Conventions . . . . . . . . . . . . 2
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
4. Prompt Parameter . . . . . . . . . . . . . . . . . . . . . . 2
4.1. Authorization Request . . . . . . . . . . . . . . . . . . 2
4.2. Discovery Metadata . . . . . . . . . . . . . . . . . . . 3
5. Security Considerations . . . . . . . . . . . . . . . . . . . 4
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
6.1. Normative References . . . . . . . . . . . . . . . . . . 4
6.2. Informative References . . . . . . . . . . . . . . . . . 4
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 5
Appendix B. Notices . . . . . . . . . . . . . . . . . . . . . . 5
Appendix C. Document History . . . . . . . . . . . . . . . . . . 6
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
Several years of deployment and implementation experience with OpenID
Connect Core 1.0 [OpenID.Core] has uncovered a need, in some
circumstances, for the client to explicitly signal to the OpenID
Provider that the user desires to create a new account rather than
authenticate an existing identity.
This allows the client to indicate to the OpenID Provider that the
user desires to create an account. This improves the user experience
because the user doesn't have to first see the login form and then
find the sign-up link on the form and select it before getting to the
user's desired action.
This specification defines a new value for the "prompt" parameter.
Fletcher Expires March 12, 2022 [Page 1]
OIDC Prompt Create September 2021
2. Requirements Notation and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119].
In the .txt version of this specification, values are quoted to
indicate that they are to be taken literally. When using these
values in protocol messages, the quotes MUST NOT be used as part of
the value. In the HTML version of this specification, values to be
taken literally are indicated by the use of "this fixed-width font".
3. Terminology
This specification uses the terms "authorization endpoint",
"authorization request", "authorization response", and "client"
defined by The OAuth 2.0 Authorization Framework [RFC6749].
4. Prompt Parameter
In requests to the OpenID Provider, a client MAY indicate that the
desired user experience is for the user to immediately see the user
account creation UI instead of the login behavior.
prompt
A value of "create" indicates to the OpenID Provider that the
client desires that the user be shown the account creation UX
rather than the login flow. Care must be taken if combining this
value with other "prompt" values. Mutually exclusive conditions
can arise so it is RECOMMENDED that "create" not be combined with
any other values.
4.1. Authorization Request
When the "prompt" parameter is used in an authorization request to
the authorization endpoint with the value of "create", it indicates
that the user has chosen to be shown the account creation experience
rather than the login experience. Whether the AS creates a brand new
identity or helps the user authenticate an identity they already have
is out of scope for this specification. The behavior is the same for
all response types.
For authorization requests sent as a JWTs, such as when using
Section 6 of OpenID Connect Core 1.0 [OpenID.Core], the "prompt"
claim value MUST be a space delimited set of prompt values in keeping
with Section 3.1.2.1 of OpenID Connect Core 1.0.
Fletcher Expires March 12, 2022 [Page 2]
OIDC Prompt Create September 2021
If the OpenID Provider receives a prompt value that it does not
support (not declared in the "prompt_values_supported" metadata
field) the OP SHOULD respond with an HTTP 400 (Bad Request) status
code and an error value of "invalid_request". It is RECOMMENDED that
the OP return an error_description value identifying the invalid
parameter value.
In Figure 1 is an example of an authorization request using the
"code" response type where the client tells the OpenID Provider that
it wants the user to start from the account creation user experience
(extra line breaks and indentation are for display purposes only).
GET /as/authorization.oauth2?response_type=code
&client_id=s6BhdRkqt3
&state=tNwzQ87pC6llebpmac_IDeeq-mCR2wLDYljHUZUAWuI
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Eorg%2Fcb
&scope=openid%20profile
&prompt=create HTTP/1.1
Host: authorization-server.example.com
Figure 1: Code Flow Authorization Request
4.2. Discovery Metadata
This specification extends the OpenID Connect Discovery Metadata
Section 3 [OpenID.Discovery] and defines the following:
prompt_values_supported
OPTIONAL. JSON array containing the list of prompt values that
this OP supports.
This metadata element is OPTIONAL in the context of the OpenID
Provider not supporting the "create" value. If omitted, the Relying
Party should assume that this specification is not supported. The
OpenID Provider MAY provide this metadata element even if it doesn't
support the "create" value.
Specific to this specification, a value of "create" in the arrauy
indicates to the Relying party that this OpenID Provider supports
this specification. If an OpenID Provider supports this
specification it MUST define this metadata element in the openid-
configuration file. Additionally, if this metadata element is
defined by the OpenID Provider, the OP must also specify all other
prompt values which it supports.
Fletcher Expires March 12, 2022 [Page 3]
OIDC Prompt Create September 2021
5. Security Considerations
Placeholder for now
6. References
6.1. Normative References
[OpenID.Core]
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and
C. Mortimore, "OpenID Connect Core 1.0", November 2014,
<http://openid.net/specs/openid-connect-core-1_0.html>.
[OpenID.Discovery]
Sakimura, N., Bradley, J., Jones, M., and E. Jay, "OpenID
Connect Discovery 1.0", November 2014.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>.
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
RFC 6749, DOI 10.17487/RFC6749, October 2012,
<https://www.rfc-editor.org/info/rfc6749>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
6.2. Informative References
[I-D.ietf-oauth-jwsreq]
Sakimura, N. and J. Bradley, "The OAuth 2.0 Authorization
Framework: JWT Secured Authorization Request (JAR)",
draft-ietf-oauth-jwsreq-20 (work in progress), October
2019.
[RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
Framework: Bearer Token Usage", RFC 6750,
DOI 10.17487/RFC6750, October 2012,
<https://www.rfc-editor.org/info/rfc6750>.
Fletcher Expires March 12, 2022 [Page 4]
OIDC Prompt Create September 2021
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<https://www.rfc-editor.org/info/rfc7519>.
[RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E.,
and C. Mortimore, "System for Cross-domain Identity
Management: Protocol", RFC 7644, DOI 10.17487/RFC7644,
September 2015, <https://www.rfc-editor.org/info/rfc7644>.
[RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection",
RFC 7662, DOI 10.17487/RFC7662, October 2015,
<https://www.rfc-editor.org/info/rfc7662>.
Appendix A. Acknowledgements
This specification was developed within OpenID connect Working Group
of the OpenID Foundation. Additionally, the following individuals
contributed ideas, feedback, and wording that helped shape this
specification:
o Filip Skokan
o Joseph Heenan
o William Dennis
Appendix B. Notices
Copyright (c) 2020 The OpenID Foundation.
The OpenID Foundation (OIDF) grants to any Contributor, developer,
implementer, or other interested party a non-exclusive, royalty free,
worldwide copyright license to reproduce, prepare derivative works
from, distribute, perform and display, this Implementers Draft or
Final Specification solely for the purposes of (i) developing
specifications, and (ii) implementing Implementers Drafts and Final
Specifications based on such documents, provided that attribution be
made to the OIDF as the source of the material, but that such
attribution does not indicate an endorsement by the OIDF.
The technology described in this specification was made available
from contributions from various sources, including members of the
OpenID Foundation and others. Although the OpenID Foundation has
taken steps to help ensure that the technology is available for
distribution, it takes no position regarding the validity or scope of
any intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this specification or the extent to which any license under such
Fletcher Expires March 12, 2022 [Page 5]
OIDC Prompt Create September 2021
rights might or might not be available; neither does it represent
that it has made any independent effort to identify any such rights.
The OpenID Foundation and the contributors to this specification make
no (and hereby expressly disclaim any) warranties (express, implied,
or otherwise), including implied warranties of merchantability, non-
infringement, fitness for a particular purpose, or title, related to
this specification, and the entire risk as to implementing this
specification is assumed by the implementer. The OpenID Intellectual
Property Rights policy requires contributors to offer a patent
promise not to assert certain patent claims against other
contributors and against implementers. The OpenID Foundation invites
any interested party to bring to its attention any copyrights,
patents, patent applications, or other proprietary rights that may
cover technology that may be required to practice this specification.
Appendix C. Document History
[[ To be removed from the final specification ]]
-04 - 2020-11-04
o Incorporated feedback from issued filed in bitbucket. Also
removed the 'implicit' flow example. Updated text regarding what
the OP should do if it does not support a requested prompt value.
-03
o Added OpenID Foundation copyright notice.
2019-10-02
o Incorporated feedback from the working group. Add text around
prompt=create being more than a hint but an expectation of an
action to be performed.
2019-02-01
o Removed "MUST" normative text and replacec with concept that
prompt=create is more of a hint to the OpenID Provider.
Author's Address
George Fletcher
Verizon Media
Email: gffletch at aol.com
Fletcher Expires March 12, 2022 [Page 6]
More information about the Openid-specs-ab
mailing list