[Openid-specs-ab] LoginId hint

Breno de Medeiros breno at google.com
Thu Aug 30 18:32:51 UTC 2012 

On Thu, Aug 30, 2012 at 11:22 AM, Justin Richer <jricher at mitre.org> wrote:

>  RPs shouldn't rely on the login_id having *any* effect on the IdP's
> processing and MUST NOT have any expectations to the contrary. The
> transaction could come back with a different user, it could come back with
> a pseudonymous account, etc. The idea for this, as I understand it, is just
> for the RP to provide a hint for better UX. It does nothing to change the
> security profile.
>

SGTM.

FTR, Google already supports hinting this under the (somewhat unfortunate)
'user_id' parameter, and aliasing it to 'login_id' would be very simple.


>
>
>  -- Justin
>
>
> On 08/30/2012 02:01 PM, Breno de Medeiros wrote:
>
>
>
>
> On Thu, Aug 30, 2012 at 11:00 AM, Richer, Justin P. <jricher at mitre.org>wrote:
>
>>  As far as the spec is concerned, that's up to the IdP. A "Smart" IdP
>> might prompt the user with something like:
>>
>>  "You are logging in to site X who thinks you're Bob, but you're logged
>> in as Alice. Click here to log in as Bob instead."
>>
>
>  Well, it might be useful to give RPs some expectations. For instance,
> RPs should be expecting the case where they supply a login_id but receive a
> session authenticated to a different user.
>
>
>>
>>   -- Justin
>>
>>  On Aug 30, 2012, at 1:52 PM, Breno de Medeiros wrote:
>>
>> Consider the case where partners share a computer, or a user has a
>> personal account and a professional account with the same IDP. If the
>> currently logged-in user is different from the suggested user via login_id,
>> what are the expectations?
>>
>>
>> On Thu, Aug 30, 2012 at 7:55 AM, Justin Richer <jricher at mitre.org> wrote:
>>
>>>  Ryo,
>>>
>>> We talked about this on the call this morning. Right now, we're saying
>>> that it's RECOMMENDED that they have the same value, but it's not required.
>>> Since there are currently two discovery setups (SWD and Webfinger/XRD) that
>>> use different parameter names, it might be a moot point to try and match
>>> those.
>>>
>>>  -- Justin
>>>
>>>
>>> On 08/30/2012 01:28 AM, Ryo Ito wrote:
>>>
>>> Do the principal parameter at discovery request and login_id parameter
>>> have same value?
>>> If it is Yes, the unification of the parameter name or reference will
>>> help developers.
>>>
>>>  Thanks,
>>> Ryo
>>>
>>> 2012/8/30 George Fletcher <gffletch at aol.com>
>>>
>>>> How about adding the following to section 2.1.2 of Messages... after
>>>> the id_token parameter
>>>>
>>>> login_id
>>>>     OPTIONAL. A hint to the authorization service as to the login_id
>>>> the user may use to authenticate (if necessary). This hint can be used by
>>>> an RP if it first asks the user for their email address (or other
>>>> identifier) and then wants to pass that value as a hint to the discovered
>>>> authorization service.
>>>>
>>>> Thanks,
>>>> George
>>>>
>>>>   On 8/29/12 2:00 PM, Nat Sakimura wrote:
>>>>
>>>> Hey, now I am getting the support!
>>>>
>>>>  Could one of you provide the actual text proposal for it?
>>>>
>>>> =nat via iPhone
>>>>
>>>> On Aug 30, 2012, at 1:40 AM, Chuck Mortimore <cmortimore at salesforce.com>
>>>> wrote:
>>>>
>>>>   +1
>>>>
>>>> - cmort
>>>>
>>>> On Aug 29, 2012, at 9:26 AM, "Pam Dingle" <pdingle at pingidentity.com>
>>>> wrote:
>>>>
>>>>  +1 from me too - need this for account chooser, among other things.
>>>>
>>>> On Wed, Aug 29, 2012 at 8:39 AM, Richer, Justin P. <jricher at mitre.org>wrote:
>>>>
>>>>> +1, I've asked for this feature too.
>>>>>
>>>>>   -- Justin
>>>>>
>>>>>   On Aug 29, 2012, at 11:27 AM, George Fletcher wrote:
>>>>>
>>>>>    Hi,
>>>>>
>>>>> We've run into a case where it would be nice to be able to pass into
>>>>> the /authorize endpoint a value to pre-fill the loginid field on the
>>>>> authentication UI. We allow for an id_token to be passed as a hint of the
>>>>> desired user, but this only works for an "already authenticated" use case.
>>>>>
>>>>> If we consider the Account Chooser case where what is stored is the
>>>>> user's email address, it would be nice to be able to start the identity
>>>>> federation flow passing that email address along to the IdP.
>>>>>
>>>>> Did I just miss support for this in the specs?
>>>>>
>>>>> Thanks,
>>>>> George
>>>>>
>>>>> --
>>>>> Chief Architect                   AIM:  gffletch
>>>>> Identity Services Engineering     Work: george.fletcher at teamaol.com
>>>>> AOL Inc.                          Home: gffletch at aol.com
>>>>> Mobile: +1-703-462-3494           Blog: http://practicalid.blogspot.com
>>>>> Office: +1-703-265-2544           Twitter: http://twitter.com/gffletch
>>>>>
>>>>>   _______________________________________________
>>>>> Openid-specs-ab mailing list
>>>>> Openid-specs-ab at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Openid-specs-ab mailing list
>>>>> Openid-specs-ab at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>>
>>>>>
>>>>
>>>>
>>>>  --
>>>> *Pamela Dingle*  |  Sr. Technical Architect
>>>> *Ping**Identity*  |   www.pingidentity.com
>>>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>>>> - - - -
>>>> *O:* 303-999-5890   *M:* 303-999-5890
>>>> *Email:* pdingle at pingidentity.com
>>>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>>>> - - - -
>>>>   *Connect with Ping*
>>>> Twitter: @pingidentity
>>>> LinkedIn Group: Ping's Identity Cloud
>>>> Facebook.com/pingidentitypage
>>>>  *Connect with me*
>>>> Twitter: @pamelarosiedee
>>>>
>>>>   _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>>>   _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>>>
>>>
>>>
>>>  --
>>> ====================
>>> Ryo Ito
>>> Email : ritou.06 at gmail.com
>>> ====================
>>>
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>>
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>>
>>
>>
>>  --
>> --Breno
>>
>>
>>
>
>
>  --
> --Breno
>
>
>


-- 
--Breno
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120830/76f8560f/attachment.html>

More information about the Openid-specs-ab mailing list