[Openid-specs-mobile-profile] login_hint behaviour

Torsten Lodderstedt torsten at lodderstedt.net
Sat Apr 25 16:09:17 UTC 2015


So far and in contrast to id token hint, I interpreted the login hint as "nice to have but not a strong requirement". The semantics you describe is much stronger.  I was unable to find a text in the spec describing the use case we are discussing. Can you refer to some text?

Am 25. April 2015 16:13:07 MESZ, schrieb John Bradley <ve7jtb at ve7jtb.com>:
>Sending an error that authentication is needed.  The client needs to
>retry without prompt=none so the user can sort it out at the AS. 
>
>Clients sending users off to reauth need to be able to deal with the
>case of a different user coming back. 
>
>Sent from my iPhone
>
>> On Apr 25, 2015, at 5:47 AM, Torsten Lodderstedt
><torsten at lodderstedt.net> wrote:
>> 
>> Hi John,
>> 
>> what behavior would you expect if the user id in the login hint
>conflicts with the user id of the existing session and prompt != none?
>> 
>> Best regards,
>> Torsten.
>> 
>> 
>> 
>>> Am 24.04.2015 um 23:58 schrieb John Bradley <ve7jtb at ve7jtb.com>:
>>> 
>>> Agreed.
>>> 
>>> The exception would be in the prompt=none case where you can’t
>display a UI.
>>> 
>>> If the login hint or id_token hint is for a different account than
>the one with the current session you would need to return a error that
>authentication is required.
>>> 
>>> 
>>>> On Apr 24, 2015, at 5:17 PM, Torsten Lodderstedt
><torsten at lodderstedt.net> wrote:
>>>> 
>>>> Hi Gonzalo,
>>>> 
>>>> I would suggest to ignore invalid login_hint values and prompt the
>user again. As the parameter name suggests, it is just a hint.
>>>> 
>>>> best regards,
>>>> Torsten.
>>>> 
>>>>> Am 22.04.2015 um 13:38 schrieb GONZALO FERNANDEZ RODRIGUEZ:
>>>>> Hi guys,
>>>>> 
>>>>> 
>>>>> We are testing our IDGW and we have a doubt about the behaviour
>that it should be have regarding the authentication in case of a
>login_hint is provided in the authentication request. Anyone of you can
>help us in this topic?
>>>>> 
>>>>> If the MNO is not able to resolve who is the user which the
>login_hint refers to, what should it do? Return an error or prompt the
>user to introduce its MSISDN?. In case of asking the user for its
>MSISDN it could happen that the MSISDN is not the same as the one
>referred by the login_hint (from the           Service Provider side).
>>>>> 
>>>>> Best,
>>>>> Gonza.
>>>>> 
>>>>> 
>>>>> 
>>>>> Este mensaje y sus adjuntos se dirigen exclusivamente a su
>destinatario, puede contener información privilegiada o confidencial y
>es para uso exclusivo de la persona o entidad de destino. Si no es
>usted. el destinatario indicado, queda notificado de que la lectura,
>utilización, divulgación y/o copia sin autorización puede estar
>prohibida en virtud de la legislación vigente. Si ha recibido este
>mensaje por error, le rogamos que nos lo comunique inmediatamente por
>esta misma vía y proceda a su destrucción.
>>>>> 
>>>>> The information contained in this transmission is privileged and
>confidential information intended only for the use of the individual or
>entity named above. If the reader of this message is not the intended
>recipient, you are hereby notified that any         dissemination,
>distribution or copying of this communication is strictly prohibited.
>If you have received this transmission in error, do not read it. Please
>immediately reply to the sender that you have received this
>communication in error and then         delete it.
>>>>> 
>>>>> Esta mensagem e seus anexos se dirigem exclusivamente ao seu
>destinatário, pode conter informação privilegiada ou confidencial e é
>para uso exclusivo da pessoa ou entidade de destino. Se não é vossa
>senhoria o destinatário indicado, fica notificado de que a leitura,
>utilização, divulgação e/ou cópia sem autorização pode estar proibida
>em virtude da legislação vigente. Se recebeu esta mensagem por erro,
>rogamos-lhe que nos o comunique imediatamente por esta mesma via e
>proceda a sua destruição
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Openid-specs-mobile-profile mailing list
>>>>> Openid-specs-mobile-profile at lists.openid.net
>>>>>
>http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
>>>> 
>>>> _______________________________________________
>>>> Openid-specs-mobile-profile mailing list
>>>> Openid-specs-mobile-profile at lists.openid.net
>>>>
>http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
>>> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20150425/ddbdbbbe/attachment-0001.html>


More information about the Openid-specs-mobile-profile mailing list