[Openid-specs-ab] Messages -15 RC: id_token_hint not clear

Mike Jones Michael.Jones at microsoft.com
Mon Jan 28 20:08:19 UTC 2013

I've created http://hg.openid.net/connect/issue/722/messages-211-text-on-id_token_hint-needs to track this issue.

                                                                -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Brian Campbell
Sent: Friday, January 25, 2013 2:17 PM
To: <openid-specs-ab at lists.openid.net>
Subject: [Openid-specs-ab] Messages -15 RC: id_token_hint not clear

After reading the text about id_token_hint, I'm not at all sure what it means. The whole thing is confusing to me but the various language around encryption is particularly confusing. And what is the AS/OP supposed to actually do with this hint anyway?

spec text from near the bottom of this section http://openid.net/specs/openid-connect-messages-1_0-15.html#auth_req
OPTIONAL. ID Token<http://openid.net/specs/openid-connect-messages-1_0-15.html#id_token> passed to the Authorization server as a hint about the user's current or past authenticated session with the client. This SHOULD be present if prompt=none is sent. The value is a JWS<http://openid.net/specs/openid-connect-messages-1_0-15.html#JWS> [JWS] encoded ID token as signed by the issuer, the JWS<http://openid.net/specs/openid-connect-messages-1_0-15.html#JWS> [JWS] may be JWE<http://openid.net/specs/openid-connect-messages-1_0-15.html#JWE> [JWE] encrypted by the public key of the issuer for additional confidentiality. If the ID Token received by the RP was encrypted, the Client MUST decrypt the signed ID Token. The Client MAY re-encrypt using the key that the server is capable of decrypting. For a self-issued ID Token, the sub (subject) of the ID Token MUST be sent as the kid (Key ID) of the JWE.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130128/60aac6ec/attachment.html>

More information about the Openid-specs-ab mailing list