[Openid-specs-ab] Submission: Update to the prompt=create specification

George Fletcher gffletch at aol.com
Thu Aug 1 15:19:23 UTC 2019


I've submitted a PR to the OpenID Connect bitbucket repository for 
openid-connect-prompt-create-1_0.xml. This draft has minor updates from 
the original. It does not include Filip's comments regarding using a 
parameter other than 'prompt'. I'm happy to re-open that discussion as 
there is interest in this spec.

XML and TXT versions attached.

Thanks,
George


-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-connect-prompt-create-1_0.xml
Type: text/xml
Size: 11070 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190801/bda9b9db/attachment.xml>
-------------- next part --------------




                                                             G. Fletcher
                                                           Verizon Media
                                                          August 1, 2019


       Initiating User Registration via OpenID Connect - draft 02
                    openid-connect-prompt-create-1_0

Abstract

   An extension to the OpenID Connect Authentication Framework defining
   a new value for the "prompt" parameter that instructs the OpenID
   Provider to start the user flow with user registration and after the
   user account has been created return an authorization code to the
   client to complete the authentication flow.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   1
   2.  Requirements Notation and Conventions . . . . . . . . . . . .   2
   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   2
   4.  Prompt Parameter  . . . . . . . . . . . . . . . . . . . . . .   2
     4.1.  Authorization Request . . . . . . . . . . . . . . . . . .   2
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   3
     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   3
     6.2.  Informative References  . . . . . . . . . . . . . . . . .   4
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .   4
   Appendix B.  Document History . . . . . . . . . . . . . . . . . .   5
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   Several years of deployment and implementation experience with OpenID
   Connect Core 1.0 [OpenID.Core] has uncovered a need, in some
   circumstances, for the client to explicitly signal to the OpenID
   Provider that the user desires to create a new account rather than
   authenticate an existing identity.

   This allows the client to indicate to the OpenID Provider that the
   user desires to create an account.  This improves the user experience
   because the user doesn't have to first see the login form and then
   find the sign-up link on the form and select it before getting to the
   user's desired action.

   This specification defines a new parameter value for the "prompt"
   parameter.




Fletcher                Expires February 2, 2020                [Page 1]


                           OIDC Prompt Create                August 2019


2.  Requirements Notation and Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in RFC
   2119 [RFC2119].

   In the .txt version of this specification, values are quoted to
   indicate that they are to be taken literally.  When using these
   values in protocol messages, the quotes MUST NOT be used as part of
   the value.  In the HTML version of this specification, values to be
   taken literally are indicated by the use of "this fixed-width font".

3.  Terminology

   This specification uses the terms "authorization endpoint",
   "authorization request", "authorization response", and "client"
   defined by The OAuth 2.0 Authorization Framework [RFC6749].

4.  Prompt Parameter

   In requests to the OpenID Provider, a client MAY indicate that the
   desired user experience is for the user to immediately see the user
   account creation UI instead of the login behavior.

   prompt
      A value of "create" indicates to the OpenID Provider that the
      client desires that the user be shown the account creation UX
      rather than the login flow.  Care must be taken if combining this
      value with other "prompt" values.  Mututally exclusive conditions
      can arise so it is RECOMMENDED that "create" not be present with
      any other values.

4.1.  Authorization Request

   When the "prompt" parameter is used in an authorization request to
   the authorization endpoint with the value of "create", it indicates
   that client desires the user be shown the account creation experience
   rather than the login experience.  This behavior is the same for both
   the implicit flow (Section 3.2 of OpenID Connect Core 1.0
   [OpenID.Core]), and the authorization code flow (Section 3.1 of
   OpenID Connect Core 1.0 [OpenID.Core]).

   For authorization requests sent as a JWTs, such as when using JWT
   Secured Authorization Request [I-D.ietf-oauth-jwsreq], a single
   "prompt" parameter value is represented as a JSON string while
   multiple values are represented as an array of strings.




Fletcher                Expires February 2, 2020                [Page 2]


                           OIDC Prompt Create                August 2019


   If the OpenID Provider fails to parse the provided value(s) it should
   ignore the "prompt" parameter value and proceed as if the "prompt"
   parameter was not specified.

   An example of an authorization request where the client tells the
   OpenID Provider that it wants the user to start from the account
   creation user experience is shown in Figure 1 below (extra line
   breaks and indentation are for display purposes only).

     GET /as/authorization.oauth2?response_type=token
        &client_id=example-client
        &state=XzZaJlcwYew1u0QBrRv_Gw
        &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Eorg%2Fcb
        &prompt=create HTTP/1.1
     Host: authorization-server.example.com

               Figure 1: Implicit Flow Authorization Request

   Below in Figure 2 is an example of an authorization request using the
   "code" response type where the the client tells the OpenID Provider
   that it wants the user to start from the account creation user
   experience (extra line breaks and indentation are for display
   purposes only).

     GET /as/authorization.oauth2?response_type=code
        &client_id=s6BhdRkqt3
        &state=tNwzQ87pC6llebpmac_IDeeq-mCR2wLDYljHUZUAWuI
        &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Eorg%2Fcb
        &scope=calendar%20contacts
        &prompt=create HTTP/1.1
     Host: authorization-server.example.com

                 Figure 2: Code Flow Authorization Request

5.  Security Considerations

   Placeholder for now

6.  References

6.1.  Normative References

   [OpenID.Core]
              Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and
              C. Mortimore, "OpenID Connect Core 1.0", November 2014,
              <http://openid.net/specs/openid-connect-core-1_0.html>.





Fletcher                Expires February 2, 2020                [Page 3]


                           OIDC Prompt Create                August 2019


   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <https://www.rfc-editor.org/info/rfc3986>.

   [RFC6749]  Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
              RFC 6749, DOI 10.17487/RFC6749, October 2012,
              <https://www.rfc-editor.org/info/rfc6749>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

6.2.  Informative References

   [I-D.ietf-oauth-jwsreq]
              Sakimura, N. and J. Bradley, "The OAuth 2.0 Authorization
              Framework: JWT Secured Authorization Request (JAR)",
              draft-ietf-oauth-jwsreq-16 (work in progress), April 2018.

   [RFC6750]  Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
              Framework: Bearer Token Usage", RFC 6750,
              DOI 10.17487/RFC6750, October 2012,
              <https://www.rfc-editor.org/info/rfc6750>.

   [RFC7519]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
              (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
              <https://www.rfc-editor.org/info/rfc7519>.

   [RFC7644]  Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E.,
              and C. Mortimore, "System for Cross-domain Identity
              Management: Protocol", RFC 7644, DOI 10.17487/RFC7644,
              September 2015, <https://www.rfc-editor.org/info/rfc7644>.

   [RFC7662]  Richer, J., Ed., "OAuth 2.0 Token Introspection",
              RFC 7662, DOI 10.17487/RFC7662, October 2015,
              <https://www.rfc-editor.org/info/rfc7662>.

Appendix A.  Acknowledgements

   This specification was developed within OpenID connect Working Group
   of the OpenID Foundation.  Additionally, the following individuals




Fletcher                Expires February 2, 2020                [Page 4]


                           OIDC Prompt Create                August 2019


   contributed ideas, feedback, and wording that helped shape this
   specification:

   William Dennis

Appendix B.  Document History

   [[ to be removed by the RFC Editor before publication as an RFC ]]

   2019-02-01
      Removed "MUST" normative text and replacec with concept that
      prompt=create is more of a hint to the OpenID Provider.


Author's Address

   George Fletcher
   Verizon Media

   Email: gffletch at aol.com































Fletcher                Expires February 2, 2020                [Page 5]


More information about the Openid-specs-ab mailing list