[Openid-specs-ab] Question re core "prompt=login"
Todd W Lainhart
lainhart at us.ibm.com
Mon Mar 3 20:57:57 UTC 2014
Makes sense - thanks.
Todd Lainhart
Rational software
IBM Corporation
550 King Street, Littleton, MA 01460-1250
1-978-899-4705
2-276-4705 (T/L)
lainhart at us.ibm.com
From: George Fletcher <gffletch at aol.com>
To: Todd W Lainhart/Lexington/IBM at IBMUS,
openid-specs-ab at lists.openid.net,
Date: 03/03/2014 02:24 PM
Subject: Re: [Openid-specs-ab] Question re core "prompt=login"
Two things...
1. Relying parties must assume that the returned user could be different
than the "current" user and deal with the scenario (i.e. late-time
binding). There were some exploits with OpenID2 because RPs did not
implement late-time bindings.
2. If a id_token_hint is specified, then a "switch-user" is NOT allowed.
This is described in the text for the id_token_hint.
So, I think it would be ok to perform a "switch-user" if a specific user
is NOT identified in the request. The RPs MUST handle this case
regardless.
Thanks,
George
On 3/3/14 1:59 PM, Todd W Lainhart wrote:
http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
A question came up here regarding whether it is legal/expected to
"switch-user" on the OP when prompt=login is given, and change the
session. The text says this:
login
The Authorization Server SHOULD prompt the End-User for reauthentication.
If it cannot reauthenticate the End-User, it MUST return an error,
typicallylogin_required.
Some interpret "reauthentication" as validating the logged-in user with a
request for a resubmit of their credentials - others interpret
"reauthentication" as the ability to do an "su". Can someone clarify the
intent?
Todd Lainhart
Rational software
IBM Corporation
550 King Street, Littleton, MA 01460-1250
1-978-899-4705
2-276-4705 (T/L)
lainhart at us.ibm.com
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140303/581c1052/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 80944 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140303/581c1052/attachment.png>
More information about the Openid-specs-ab
mailing list