[Openid-specs-ab] Request with prompt=login

Thomas Broyer t.broyer at gmail.com
Wed Jul 20 08:24:13 UTC 2016


On Wed, Jul 20, 2016 at 8:29 AM Hasanthi Purnima Dissanayake <
hasanthi at wso2.com> wrote:

> Hi All,
> I am sending prompt=login parameter with the authorization request when
> the End-User is already authenticated. According to the spec [1] , in this
> case the Authorization Server MUST reauthenticate the End-User even if the
> End-User is already authenticated. So the server prompts the login page
> again and the use has to provide credentials again.
>
> Once we are running the OIDC compliance test cases I'm getting following
> error.
>
> [multiple-sign-on]
> 	status: ERROR
> 	description: Verifies that multiple authentication was used in the flow
> 	info: Not two separate authentications!
>
>
>
> So what is the actual thing that the server suppose to do with
> prompt=login parameter in authorization request. Does the server need to
> log out the user if there is an already authenticated session with the
> prompt=login parameter? Otherwise how can we avoid this multiple
> authentication error?
>

The tool checks the auth_time:
https://bitbucket.org/openid/certification/src/b2e0b3bd9d423e68a66dbace5487f304375fb5bf/src/oictest/check.py?at=default&fileviewer=file-view-default#check.py-1065
https://github.com/rohe/oictest/blob/b4c9bcc7119fb19b5c9903d4390f08a511707391/src/oictest/check.py#L1071-L1075
https://github.com/rohe/oidctest/blob/7db9fbbee61d46a8cdedd04200981adef5449cd8/src/oidctest/op/check.py#L1030-L1034
(I have absolutely no idea which of these tools, if any, is the actual one
running for the certification process; sorted above from least recently
updated to most recently updated)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160720/bb0284a5/attachment.html>


More information about the Openid-specs-ab mailing list