[Openid-specs-ab] IdP initiated login
John Bradley
ve7jtb at ve7jtb.com
Mon Oct 31 13:56:23 UTC 2011
Just a note on a possible idea.
The when the RP registers a client ID it sets unsolicited_login_url: to some return_url
The IdP then sends the id_token with nonce set to a time stamp + entropy , and a claim of idp_initiated: true .
We probably need to restrict this to the code flow.
RP could then check that the id_token was not generated by XSRF and set it's cookies.
I don't see a general way that a unmodified RP is going to be able to safely.
This should probably be an extension.
John B.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20111031/d59a9ee6/attachment.p7s>
More information about the Openid-specs-ab
mailing list