[Openid-specs-ab] Two issues on id_token_hint [2]

[Roland Hedberg]

In the core spec it’s said about id_token_hint:
”ID Token previously issued by the Authorization Server being passed as a hint about the End-User’s current or past authenticated session with the Client."

This doesn’t explicitly state that the ID Token had to be issued to the Client using it as an id_token_hint.

If that is the case then we should write something to the effect that the Client has to be
listed as one of the audiences (aud and/or azp ?) of the IdToken it uses as an id_token_hint.

Given that aud is a list, the Client will anyway be one possible user of the ID Token as an id_token_hint.

If I’m correct up to now, we have a number of possible outcomes as to the sub value of the new IdToken.
All, assuming that the original authentication is still valid.

I can see the following outcomes:
1) If both uses redirect_uri’s that is appear in the same sector_identifier_uri then the sub should be the same

2) If both have registered subject_type = public, then they should also be the same

3) all other permutations should lead to the sub values not being the same.

Correct ?

How have people implemented this ?

— Roland

”Being able to think like a child is an important attribute of being an adult” - Eddie Izzard