[Openid-specs-ab] Messages -15 RC: id_token_hint not clear
Brian Campbell
bcampbell at pingidentity.com
Fri Jan 25 22:16:50 UTC 2013
After reading the text about id_token_hint, I'm not at all sure what it
means. The whole thing is confusing to me but the various language around
encryption is particularly confusing. And what is the AS/OP supposed to
actually do with this hint anyway?
spec text from near the bottom of this section
http://openid.net/specs/openid-connect-messages-1_0-15.html#auth_req
id_token_hintOPTIONAL. ID
Token<http://openid.net/specs/openid-connect-messages-1_0-15.html#id_token>passed
to the Authorization server as a hint about the user's current or
past authenticated session with the client. This SHOULD be present if
prompt=none is sent. The value is a
JWS<http://openid.net/specs/openid-connect-messages-1_0-15.html#JWS>[JWS]
encoded ID token as signed by the issuer, the
JWS <http://openid.net/specs/openid-connect-messages-1_0-15.html#JWS> [JWS]
may be JWE <http://openid.net/specs/openid-connect-messages-1_0-15.html#JWE>[JWE]
encrypted by the public key of the issuer for additional
confidentiality. If the ID Token received by the RP was encrypted, the
Client MUST decrypt the signed ID Token. The Client MAY re-encrypt using
the key that the server is capable of decrypting. For a self-issued ID
Token, the sub (subject) of the ID Token MUST be sent as the kid (Key ID)
of the JWE.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130125/d3cbbc00/attachment.html>
More information about the Openid-specs-ab
mailing list