[Openid-specs-ab] Issue #1034: Core - id_token_hint and prompt=none (openid/connect)

Brock Allen brockallen at gmail.com
Sat Jul 28 13:35:01 UTC 2018

I have encountered the interoperability problems raised in Torsten's email. Also, the addition of the hint in the URL does sometimes make for long URLs (depending on how state is also treated by the client), and we all know how good IE is at dealing with those long URLs.

It was never clear to me either the expected use of the param at the OP, unless it's a way to ask the OP to confirm that the user's identity is still the same at the time the original token was obtained. For me, I have written the client to be defensive to address the possibility of the sub changing at the OP, rather than relying on the id_token hint (especially since it's not required and thus not all OPs do anything with it). 


On 7/28/2018 8:38:06 AM, Torsten Lodderstedt via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
New issue 1034: Core - id_token_hint and prompt=none

Torsten Lodderstedt:

the OpenID Connect spec states „When possible, an id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the server SHOULD respond successfully when possible, even if it is not present.“

I don’t fully understand the rationale of this text and think it hinders interoperability.

1) Why should the RP include an id_token? There are use cases where the RP just wants to determine whether a user is logged in on the device. No id_token_hint available or needed.

2) If the RP is free to choose whether to include an id_token_hint or not, why MAY the OP respond with an invalid_request error code? According to RFC 6749 this means „The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.“ To me this indicates a programming error. That would be ok, if the text would require (MUST) the RP to send the id_token_hint. The way the text is written now, an RP, which works perfectly fine with several OPs would break if the next OP would decide to respond with this error. That’s bad for interop.

3) The text continues by asking the OP to not respond with an error if possible? I got lost.

I suggest to clarify the rationale and simplify the text.

Is it allowed and desired to use prompt=none without an id_token_hint? I think so and any OP should support this behavior.

I think the whole sentence could be removed.

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180728/a346f258/attachment-0001.html>

More information about the Openid-specs-ab mailing list