[Openid-specs-ab] Question about which ID Token to send as id_token_hint

Pamela Dingle pdingle at pingidentity.com
Fri Sep 5 23:45:53 UTC 2014


I think another argument would be that you would want to use the most
recent authentication context, as the user may have stepped up since the
original id_token was issued. That more current authentication context may
influence what experience the OP chooses to offer the user


On Fri, Sep 5, 2014 at 2:46 PM, Mike Jones <Michael.Jones at microsoft.com>
wrote:

>  Hi all.  A question has come from our development team about which ID
> Token to send as the id_token_hint value.  It would obviously be easy to
> hold onto the original ID Token received forever and keep using that in
> prompt=none requests.  The alternative is to use the newest ID Token
> received in an authentication response – such as the one received from the
> most recent prompt=none request.
>
>
>
> What guidance should we give developers in this regard?
>
>
>
> One argument I could see for using the most recent one is that the older
> the ID Token is, the more likely it is that the key used to sign it has
> been rotated out and may not be remembered by the server.  Other thoughts?
>
>
>
>                                                             -- Mike
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>


-- 
   [image: Ping Identity logo] <https://www.pingidentity.com/>
Pam Dingle
Sr. Technical Architect
  @ pdingle at pingidentity.com  [image: phone] +1 720.317.2081  Connect with
us…  [image: twitter logo] <https://twitter.com/pingidentity> [image:
youtube logo] <https://www.youtube.com/user/PingIdentityTV> [image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: Facebook
logo] <https://www.facebook.com/pingidentitypage> [image: Google+ logo]
<https://plus.google.com/u/0/114266977739397708540> [image: slideshare logo]
<http://www.slideshare.net/PingIdentity> [image: flipboard logo]
<http://flip.it/vjBF7> [image: rss feed icon]
<https://www.pingidentity.com/blogs/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140905/77aa1d96/attachment.html>


More information about the Openid-specs-ab mailing list