[Openid-specs-ab] prompt=login clarification
Anganes, Amanda L
aanganes at mitre.org
Fri Aug 16 15:03:05 UTC 2013
This may be completely obvious and unworthy of clarification, but it made me do a double-take today so I thought I'd ask the list to weigh in.
When using prompt=login, if user A is currently logged in, it seems to be intended that ANY user can authenticate the request, even if they are not user A. The point of using prompt=login is that you want an active user to be present (and it doesn't matter who that active user is, or if their login overrides a stale login that was already present). The spec doesn't currently say anything about this:
prompt
OPTIONAL. Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are:
login
The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot prompt the End-User, it MUST return an error.
(from Messages 2.1.1.1)
Should this be clarified? Is it totally obvious and we can leave it alone?
--Amanda
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130816/c63f6f82/attachment.html>
More information about the Openid-specs-ab
mailing list