[Openid-specs-ab] Issue #523 Messages 2.1.4 - session_selection_required is leaking PII
gffletch at aol.com
Fri Jan 27 00:37:58 UTC 2012
After looking at this issue, we decided on the call today to propose the
following change to the Messages spec.
Remove error responses *login_required*,
*session_selection_required*, *consent_required* and
*user_mismatched*. Replace these error responses with the following...
End-User interaction is required at the Authorization Server. This
error MAY be returned when the user is required to perform some
action at the Authorization server and the /prompt/ parameter in the
Authorization Request is set to /none/. For example, the
Authorization Server may require the user to authentication before
granting the authorization request.
The rationale is that the user needs to interact with the Authorization
server anyway so only one error response is needed.
Wondering if this causes any issues with the recent developments with
the session management ideas.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab