[Openid-specs-ab] IdP initiated login
Allen Tom
allentomdude at gmail.com
Mon Oct 31 20:42:44 UTC 2011
Hi John -
Is this the Unsolicited Assertion use case - where the user clicks on
a sponsored link hosted on the IdP's site and gets authenticated on the
RP's site?
I think we had discussed this at IIW a couple years ago, and the general
consensus was that upon receiving an unsolicited positive assertion, the RP
would need to redirect the user's browser back to the OP to have the OP
re-generate the assertion and resend it back to the RP.
The downside is that the UX would suffer due to the extra round trip.
Allen
On Mon, Oct 31, 2011 at 6:56 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> Just a note on a possible idea.
>
> The when the RP registers a client ID it sets unsolicited_login_url: to
> some return_url
>
> The IdP then sends the id_token with nonce set to a time stamp + entropy
> , and a claim of idp_initiated: true .
>
> We probably need to restrict this to the code flow.
>
> RP could then check that the id_token was not generated by XSRF and set
> it's cookies.
>
> I don't see a general way that a unmodified RP is going to be able to
> safely.
>
> This should probably be an extension.
>
> John B.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20111031/863bddb6/attachment.html>
More information about the Openid-specs-ab
mailing list