[Openid-specs-ab] [openid/connect] Messages 2.1.1 - Text on id_token_hint needs to be clarified (issue #722)

Michael Jones issues-reply at bitbucket.org
Mon Jan 28 20:08:01 UTC 2013

--- you can reply above this line ---

New issue 722: Messages 2.1.1 - Text on id_token_hint needs to be clarified

Michael Jones:

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Brian Campbell
Sent: Friday, January 25, 2013 2:17 PM
To: <openid-specs-ab at lists.openid.net>
Subject: [Openid-specs-ab] Messages -15 RC: id_token_hint not clear

After reading the text about id_token_hint, I'm not at all sure what it means. The whole thing is confusing to me but the various language around encryption is particularly confusing. And what is the AS/OP supposed to actually do with this hint anyway?

spec text from near the bottom of this section http://openid.net/specs/openid-connect-messages-1_0-15.html#auth_req

OPTIONAL. ID Token passed to the Authorization server as a hint about the user's current or past authenticated session with the client. This SHOULD be present if prompt=none is sent. The value is a JWS [JWS] encoded ID token as signed by the issuer, the JWS [JWS] may be JWE [JWE] encrypted by the public key of the issuer for additional confidentiality. If the ID Token received by the RP was encrypted, the Client MUST decrypt the signed ID Token. The Client MAY re-encrypt using the key that the server is capable of decrypting. For a self-issued ID Token, the sub (subject) of the ID Token MUST be sent as the kid (Key ID) of the JWE. 


This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.

More information about the Openid-specs-ab mailing list