[Openid-specs-ab] LoginId hint

Blaine Cook romeda at gmail.com
Tue Sep 4 10:32:09 UTC 2012


I'm very, very glad to see this being codified.

So, I know that it doesn't affect the security properties, and the
client will always need to verify that the requested user matches the
one that was / is expected, but rather than just a hint, would it be
possible for this parameter to semantically mean (on agreement between
a cooperating IdP and RP):

"Only sign in the user identified by user_id. If it's not possible to
sign in that user, please return an error."

Having this agreement would simplify the vast majority of interaction
design around sign in.

I've recorded a video that goes through the failure case of what
happens when we don't have this parameter:

http://www.youtube.com/watch?v=t2MGLkB9xDw&feature=youtu.be

I hope that helps define this parameter. As I've said a number of
times before, I firmly believe that this parameter is the most
important one for OpenID Connect to be a viable tool.

b.


On 1 September 2012 09:43, Roland Hedberg <roland.hedberg at adm.umu.se> wrote:
> Nat Sakimura skrev 2012-08-31 01:54:
>> I think we had similar discussion before and the result then was to
>> signify that it is a hint through the parameter name. I support login_hint.
>
> +1
>
> -- Roland
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list