[Openid-specs-ab] Issue #878: Messages 2.1.1.1 Define "negative response" for id_token_hint (openid/connect)
Vladimir Dzhuvinov
issues-reply at bitbucket.org
Mon Sep 30 09:08:19 UTC 2013
New issue 878: Messages 2.1.1.1 Define "negative response" for id_token_hint
https://bitbucket.org/openid/connect/issue/878/messages-2111-define-negative-response-for
Vladimir Dzhuvinov:
Hi guys,
id_token_hint : The spec says that the server SHOULD return a "negative response" if the required subject isn't logged in. We have found out that for proper client / server interop there has to be an agreed error code for that.
The base OAuth 2.0 "access_denied" error is one possible candidate for that, but is too general.
The OIDC error "login_required" seems more specific, and it also ties nicely with the (common?) id_token_hint case when it is used with prompt=none.
Finally, what error should the server return if prompt=none and the server's policy expects an id_token_hint, but it is missing in the authz request? invalid_request?
What are the security implications of not requiring an id_token_hint with prompt=none?
Thanks,
Vladimir
More information about the Openid-specs-ab
mailing list