[Openid-specs-ab] LoginId hint
John Bradley
ve7jtb at ve7jtb.com
Tue Sep 4 15:47:32 UTC 2012
You can also do that in the request object by setting the required value of the email.
On 2012-09-04, at 12:18 PM, Nat Sakimura <sakimura at gmail.com> wrote:
> Blaine's use case is a bit different than the id_token case.
> In the id_token case, the relying party already has the id_token
> perhaps associated with the browser session. However, in Blaine's use
> case, the use case of using a friend's computer, it is not the case.
> The user obviously cannot supply the real verified identifier aka
> id_token, and can only supply something like email. In his scenario,
> the IdP should only return the positive assertion if the email
> identifier associated with the user that logged in to the IdP includes
> the email supplied. (Obviously, that email needs to be a verified
> one.) So, the request being sent from the RP is essentially saying:
>
> "give me id_token if and only if the user's verified emails includes
> the supplied one."
>
> Is that correct, Blaine?
>
> Nat
>
> On Tue, Sep 4, 2012 at 11:47 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>> We have the only sign in this user_id in the request object already.
>>
>> Perhaps we need clearer guidance to the IdP what they need to do in that case.
>>
>> This was intended for cases where you still want to let them login as something else but want to have the IdP pre fill.
>>
>> One thing to note is that there is no guaranteed mapping between a email and a user_id.
>>
>> John B.
>>
>>
>> On 2012-09-04, at 7:32 AM, Blaine Cook <romeda at gmail.com> wrote:
>>
>>> I'm very, very glad to see this being codified.
>>>
>>> So, I know that it doesn't affect the security properties, and the
>>> client will always need to verify that the requested user matches the
>>> one that was / is expected, but rather than just a hint, would it be
>>> possible for this parameter to semantically mean (on agreement between
>>> a cooperating IdP and RP):
>>>
>>> "Only sign in the user identified by user_id. If it's not possible to
>>> sign in that user, please return an error."
>>>
>>> Having this agreement would simplify the vast majority of interaction
>>> design around sign in.
>>>
>>> I've recorded a video that goes through the failure case of what
>>> happens when we don't have this parameter:
>>>
>>> http://www.youtube.com/watch?v=t2MGLkB9xDw&feature=youtu.be
>>>
>>> I hope that helps define this parameter. As I've said a number of
>>> times before, I firmly believe that this parameter is the most
>>> important one for OpenID Connect to be a viable tool.
>>>
>>> b.
>>>
>>>
>>> On 1 September 2012 09:43, Roland Hedberg <roland.hedberg at adm.umu.se> wrote:
>>>> Nat Sakimura skrev 2012-08-31 01:54:
>>>>> I think we had similar discussion before and the result then was to
>>>>> signify that it is a hint through the parameter name. I support login_hint.
>>>>
>>>> +1
>>>>
>>>> -- Roland
>>>>
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4937 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120904/3565e494/attachment.p7s>
More information about the Openid-specs-ab
mailing list