[Openid-specs-ab] prompt=login clarification

Anganes, Amanda L aanganes at mitre.org
Fri Aug 16 15:03:05 UTC 2013

This may be completely obvious and unworthy of clarification, but it made me do a double-take today so I thought I'd ask the list to weigh in.

When using prompt=login, if user A is currently logged in, it seems to be intended that ANY user can authenticate the request, even if they are not user A. The point of using prompt=login is that you want an active user to be present (and it doesn't matter who that active user is, or if their login overrides a stale login that was already present). The spec doesn't currently say anything about this:

OPTIONAL. Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are:

The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot prompt the End-User, it MUST return an error.
(from Messages

Should this be clarified? Is it totally obvious and we can leave it alone?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130816/c63f6f82/attachment.html>

More information about the Openid-specs-ab mailing list