[Openid-specs-ab] Request with prompt=login

Thomas Broyer t.broyer at gmail.com
Wed Jul 20 08:24:13 UTC 2016

On Wed, Jul 20, 2016 at 8:29 AM Hasanthi Purnima Dissanayake <
hasanthi at wso2.com> wrote:

> Hi All,
> I am sending prompt=login parameter with the authorization request when
> the End-User is already authenticated. According to the spec [1] , in this
> case the Authorization Server MUST reauthenticate the End-User even if the
> End-User is already authenticated. So the server prompts the login page
> again and the use has to provide credentials again.
> Once we are running the OIDC compliance test cases I'm getting following
> error.
> [multiple-sign-on]
> 	status: ERROR
> 	description: Verifies that multiple authentication was used in the flow
> 	info: Not two separate authentications!
> So what is the actual thing that the server suppose to do with
> prompt=login parameter in authorization request. Does the server need to
> log out the user if there is an already authenticated session with the
> prompt=login parameter? Otherwise how can we avoid this multiple
> authentication error?

The tool checks the auth_time:
(I have absolutely no idea which of these tools, if any, is the actual one
running for the certification process; sorted above from least recently
updated to most recently updated)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160720/bb0284a5/attachment.html>

More information about the Openid-specs-ab mailing list