<div dir="ltr">so this will be tracked and not forgotten about: <a href="https://bitbucket.org/openid/connect/issue/850/login_hint-for-initiating-login-at-client">https://bitbucket.org/openid/connect/issue/850/login_hint-for-initiating-login-at-client</a><br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jun 20, 2013 at 9:45 AM, John Bradley <span dir="ltr"><<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">The problem was the login process we have MUST be initiated by the client per OAuth.<div>
<br></div><div>There was no way for a 3rd party to initiate the login due to concerns about logging users into sites in the background without there consent.</div><div><br></div><div>The uses for this are:</div><div>1. Account chooser providing discovery info to the client for kicking off a generic login.</div>
<div>2. The IdP having a bookmark service that directly logs the user into the client.</div><div>3. Deep linking content type services, where you may be logged into provider A that provides a link to a resource at client B and knows credentials for you that it or someone else has that you need to get to the resource at B. This is common in all sorts of content provider services. </div>
<div><br></div><div>At the moment for SAML one common hack is to bake the IdP into the target URI somehow or try and guess based on referrer. What you don't want is to pop up another discovery dialog at the client before the user is directed back to the IdP. Ideally if the user has previously connected to logging into the client everything happens in the background and to them it just looks like they are following a link.</div>
<div><br></div><div>John B.</div><div><div class="h5"><div><br></div><div><div><div>On 2013-06-20, at 11:25 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:</div>
<br><blockquote type="cite"><div link="blue" vlink="purple" style="font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" lang="EN-US">
<div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I think the “MUST” in the login_hint language below is confusing.<u></u><u></u></span></div>
<div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">If we don’t require that the issuer be specified, we have to say how to figure out what it is.<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I guess part of the confusion is what this is for. I’d thought that it was “please log this user in at this IdP”. If we make everything optional it becomes something closer to “please have the user log at your RP”. Before revising the text, we probably want to be clear among ourselves what it’s trying to accomplish.<u></u><u></u></span></div>
<div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> -- Mike<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span></div><div><div style="border-style:solid none none;border-top-width:1pt;border-top-color:rgb(181,196,223);padding:3pt 0in 0in"><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<b><span style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"><span> </span><a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-" target="_blank">openid-</a><a href="mailto:specs-ab-bounces@lists.openid.net" target="_blank">specs-ab-bounces@lists.openid.net</a>]<b>On Behalf Of<span> </span></b>John Bradley<br>
<b>Sent:</b><span> </span>Thursday, June 20, 2013 8:20 AM<br><b>To:</b><span> </span>Nat Sakimura<br><b>Cc:</b><span> </span><<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
<b>Subject:</b><span> </span>Re: [Openid-specs-ab] login_hint for Initiating Login at Client from Third Party<u></u><u></u></span></div></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<u></u> <u></u></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">I think Mike argued that iss be REQUIRED to avoid the client doing discovery.<u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<u></u> <u></u></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Perhaps for login_hint <span style="font-family:Verdana,sans-serif">OPTIONAL. A string that the client MUST send as login_hint parameter value of the authorization request if present.</span><u></u><u></u></div>
<div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
On 2013-06-20, at 11:11 AM, Nat Sakimura <<a href="mailto:sakimura@gmail.com" style="color:purple;text-decoration:underline" target="_blank">sakimura@gmail.com</a>> wrote:<u></u><u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<br><br><u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Verdana,sans-serif">What about this? <u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<span style="font-family:Verdana,sans-serif"> </span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Verdana,sans-serif">login_hint<u></u><u></u></span></div>
<div style="margin:0in 0in 0.0001pt 0.5in;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Verdana,sans-serif">OPTIONAL. A string that the client MUST send as login_hint parameter value of the authorization request.<u></u><u></u></span></div>
<div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Verdana,sans-serif">iss<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt 0.5in;font-size:12pt;font-family:'Times New Roman',serif">
<span style="font-family:Verdana,sans-serif">OPTIONAL. Issuer Identifier for the Issuer that the Client is to send the authentication request to. Its value MUST be a URL using the </span><tt style="font-family:'Courier New'"><span style="font-size:10pt;color:rgb(0,51,102)">https </span></tt><span style="font-family:Verdana,sans-serif">scheme.<u></u><u></u></span></div>
<div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Verdana,sans-serif">target_link_uri<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt 0.5in;font-size:12pt;font-family:'Times New Roman',serif">
<span style="font-family:Verdana,sans-serif">OPTIONAL. URI of the target resource. After receiving a positive authorization response, the Client SHOULD redirect the user-agent to this URI. Clients MUST verify the value of the </span><tt style="font-family:'Courier New'"><span style="font-size:10pt;color:rgb(0,51,102)">target_link_uri</span></tt><span style="font-family:Verdana,sans-serif"> to prevent it being used as an open redirector to external sites.<u></u><u></u></span></div>
</div><div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></p><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
2013/6/20 Brian Campbell <<a href="mailto:bcampbell@pingidentity.com" style="color:purple;text-decoration:underline" target="_blank">bcampbell@pingidentity.com</a>><u></u><u></u></div><div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
The text says login_hint is required but then ends the description with "(if necessary)" which reads kind of awkwardly (to me anyway).<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<u></u> <u></u></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Also it says it's a "hint to the Authorization Server" but this section is defining a client endpoint. Shouldn't it say what the client is supposed to do with it? I presume it should just pass it along verbatim to the AS using the parameter of the same name. But the text here should probably say as much, no?<u></u><u></u></div>
<p style="margin-right:0in;margin-left:0in;font-size:12pt;font-family:'Times New Roman',serif">And why is login_hint required? It seems quite possible that the AS or other party (a static HTML page of links, for example) wouldn't know enough to populate that field at the point of sending a Login Initiation Request.<u></u><u></u></p>
</div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">from<span> </span><a href="http://openid.net/specs/openid-connect-standard-1_0-21.html#client_Initiate_login" style="color:purple;text-decoration:underline" target="_blank">http://openid.net/specs/openid-connect-standard-1_0-21.html#client_Initiate_login</a><u></u><u></u></div>
<div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">"login_hint<u></u><u></u></div><div style="margin:0in 0in 0.0001pt 0.5in;font-size:12pt;font-family:'Times New Roman',serif">
REQUIRED. Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary)."<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<u></u> <u></u></div></div><div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></p></div></div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:12pt;font-family:'Times New Roman',serif">
<br>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" style="color:purple;text-decoration:underline" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" style="color:purple;text-decoration:underline" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></p></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<br><br clear="all"><u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
--<span> </span><br>Nat Sakimura (=nat)<u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" style="color:purple;text-decoration:underline" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en<u></u><u></u></div></div></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" style="color:purple;text-decoration:underline" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" style="color:purple;text-decoration:underline" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></div></div><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
</p></div></div></div></blockquote></div><br></div></div></div></div><br>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></blockquote></div><br></div>