[Openid-specs-ab] LoginId hint
ve7jtb at ve7jtb.com
Tue Sep 4 14:47:46 UTC 2012
We have the only sign in this user_id in the request object already.
Perhaps we need clearer guidance to the IdP what they need to do in that case.
This was intended for cases where you still want to let them login as something else but want to have the IdP pre fill.
One thing to note is that there is no guaranteed mapping between a email and a user_id.
On 2012-09-04, at 7:32 AM, Blaine Cook <romeda at gmail.com> wrote:
> I'm very, very glad to see this being codified.
> So, I know that it doesn't affect the security properties, and the
> client will always need to verify that the requested user matches the
> one that was / is expected, but rather than just a hint, would it be
> possible for this parameter to semantically mean (on agreement between
> a cooperating IdP and RP):
> "Only sign in the user identified by user_id. If it's not possible to
> sign in that user, please return an error."
> Having this agreement would simplify the vast majority of interaction
> design around sign in.
> I've recorded a video that goes through the failure case of what
> happens when we don't have this parameter:
> I hope that helps define this parameter. As I've said a number of
> times before, I firmly believe that this parameter is the most
> important one for OpenID Connect to be a viable tool.
> On 1 September 2012 09:43, Roland Hedberg <roland.hedberg at adm.umu.se> wrote:
>> Nat Sakimura skrev 2012-08-31 01:54:
>>> I think we had similar discussion before and the result then was to
>>> signify that it is a hint through the parameter name. I support login_hint.
>> -- Roland
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4937 bytes
Desc: not available
More information about the Openid-specs-ab