[Openid-specs-mobile-profile] Issue #123: CIBA: hint and hint_type (openid/mobile)

Takahiko Kawasaki issues-reply at bitbucket.org
Wed Nov 28 11:24:09 UTC 2018

New issue 123: CIBA: hint and hint_type

Takahiko Kawasaki:

This may be too late to suggest, but I'm feeling that `hint` and `hint_type` request parameters would be better than having a different request parameter per hint type.

The current spec has three request parameters, `login_hint_token`, `id_token_hint` and `login_hint`. They represent hints and they must not coexist in a backchannel authentication request.

My suggestion is to abolish the three request parameters and define new `hint` and `hint_type` request parameters as follows:

| name | description |
|`hint`|An arbitrary string. Its format depends on `hint_type`.|
|`hint_type`|`id_token`, etc.|

By adopting this style, we can:

1. make it easy for implementations **to ensure that multiple hints are not included in a backchannel authentication request**,
2. get flexibility in defining and adding hint types,
3. avoid adding a new request parameter every time a new hint type is invented in the future, and
4. move detailed hint-type-specific descriptions to other section or to other separate spec documents.

See also my comment added to Issue #71 (CIBA hint validation clarification).

More information about the Openid-specs-mobile-profile mailing list