[Openid-specs-ab] Question re core "prompt=login"

John Bradley ve7jtb at ve7jtb.com
Mon Mar 3 19:59:58 UTC 2014 

Yes.

On Mar 3, 2014, at 7:23 PM, George Fletcher <gffletch at aol.com> wrote:

> Two things...
> 
> 1. Relying parties must assume that the returned user could be different than the "current" user and deal with the scenario (i.e. late-time binding). There were some exploits with OpenID2 because RPs did not implement late-time bindings.
> 
> 2. If a id_token_hint is specified, then a "switch-user" is NOT allowed. This is described in the text for the id_token_hint.
> 
> So, I think it would be ok to perform a "switch-user" if a specific user is NOT identified in the request. The RPs MUST handle this case regardless.
> 
> Thanks,
> George
> 
> On 3/3/14 1:59 PM, Todd W Lainhart wrote:
>> http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest 
>> 
>> A question came up here regarding whether it is legal/expected to "switch-user" on the OP when prompt=login is given, and change the session.  The text says this: 
>> 
>> login 
>> The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typicallylogin_required. 
>> 
>> 
>> Some interpret "reauthentication" as validating the logged-in user with a request for a resubmit of their credentials - others interpret "reauthentication" as the ability to do an "su".   Can someone clarify the intent?
>> 
>> 
>> 
>> 
>> Todd Lainhart
>> Rational software
>> IBM Corporation
>> 550 King Street, Littleton, MA 01460-1250
>> 1-978-899-4705
>> 2-276-4705 (T/L)
>> lainhart at us.ibm.com
>> 
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
> -- 
> <XeC.png>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140303/4f3d4262/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140303/4f3d4262/attachment.p7s>

More information about the Openid-specs-ab mailing list