[Openid-specs-ab] Question re core "prompt=login"
George Fletcher
gffletch at aol.com
Mon Mar 3 19:23:54 UTC 2014
Two things...
1. Relying parties must assume that the returned user could be different
than the "current" user and deal with the scenario (i.e. late-time
binding). There were some exploits with OpenID2 because RPs did not
implement late-time bindings.
2. If a id_token_hint is specified, then a "switch-user" is NOT allowed.
This is described in the text for the id_token_hint.
So, I think it would be ok to perform a "switch-user" if a specific user
is NOT identified in the request. The RPs MUST handle this case regardless.
Thanks,
George
On 3/3/14 1:59 PM, Todd W Lainhart wrote:
> http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
>
> A question came up here regarding whether it is legal/expected to
> "switch-user" on the OP when prompt=login is given, and change the
> session. The text says this:
>
> login
> The Authorization Server SHOULD prompt the End-User for
> reauthentication. If it cannot reauthenticate the End-User, it MUST
> return an error, typicallylogin_required.
>
>
> Some interpret "reauthentication" as validating the logged-in user
> with a request for a resubmit of their credentials - others interpret
> "reauthentication" as the ability to do an "su". Can someone clarify
> the intent?
>
> *
>
>
> Todd Lainhart
> Rational software
> IBM Corporation
> 550 King Street, Littleton, MA 01460-1250**
> 1-978-899-4705
> 2-276-4705 (T/L)
> lainhart at us.ibm.com*
>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
--
George Fletcher <http://connect.me/gffletch>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140303/a3c1e7b1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XeC
Type: image/png
Size: 80944 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140303/a3c1e7b1/attachment.png>
More information about the Openid-specs-ab
mailing list