[Openid-specs-ab] prompt=login clarification
Anganes, Amanda L
aanganes at mitre.org
Fri Aug 16 15:03:05 UTC 2013
This may be completely obvious and unworthy of clarification, but it made me do a double-take today so I thought I'd ask the list to weigh in.
When using prompt=login, if user A is currently logged in, it seems to be intended that ANY user can authenticate the request, even if they are not user A. The point of using prompt=login is that you want an active user to be present (and it doesn't matter who that active user is, or if their login overrides a stale login that was already present). The spec doesn't currently say anything about this:
OPTIONAL. Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are:
The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot prompt the End-User, it MUST return an error.
(from Messages 184.108.40.206)
Should this be clarified? Is it totally obvious and we can leave it alone?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab