[Openid-specs-ab] Issue #523 Messages 2.1.4 - session_selection_required is leaking PII

George Fletcher gffletch at aol.com
Fri Jan 27 00:37:58 UTC 2012

Hi Breno,

After looking at this issue, we decided on the call today to propose the 
following change to the Messages spec.

    Remove error responses *login_required*,
    *session_selection_required*, *consent_required* and
    *user_mismatched*. Replace these error responses with the following...

    End-User interaction is required at the Authorization Server. This
    error MAY be returned when the user is required to perform some
    action at the Authorization server and the /prompt/ parameter in the
    Authorization Request is set to /none/. For example, the
    Authorization Server may require the user to authentication before
    granting the authorization request.

The rationale is that the user needs to interact with the Authorization 
server anyway so only one error response is needed.

Wondering if this causes any issues with the recent developments with 
the session management ideas.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120126/c3cb32ba/attachment-0001.html>

More information about the Openid-specs-ab mailing list