[Openid-specs-mobile-profile] login_hint_token format.
ve7jtb at ve7jtb.com
Thu Dec 3 15:20:28 UTC 2015
One possibility if we were to mandate the format to be encrypted JWT would be to use the existing id_token_hint parameter.
We would have the discovery service produce an encrypted (pseudo) id_token with no “sub” and the extra claims.
This is almost exactly what we have, but have been thinking that it would fit because it is not produced by the IdP.
On one hand using a different parameter name has little expense, on the other having two of something almost the same may be more confusing to developers.
The IdP already needs to support receiving encrypted id_tokens/JWT as the value of the parameter, so it would decrypt it and then look at the issuer to check the signature.
If the issuer is itself it is an id_token, if the issuer is the discovery service then it would know to take the extra parameter as the hint, rater then the sub.
OPTIONAL. ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hintSHOULD be present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need not be listed as an audience of the ID Token when it is used as an id_token_hint value.
If the ID Token received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the id_token_hint value.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-mobile-profile