[Openid-specs-ab] inconsistent treatment of id_token_hint?
Brian Campbell
bcampbell at pingidentity.com
Tue Apr 7 15:10:30 UTC 2015
Core has two mentions of id_token_hint (not counting self issued and IANA
registration), which are quoted below. It seems that one says that an error
SHOULD be returned if the end-user identified by the id_token_hint isn't
the current user while the other says an error MUST be returned.
Is this an oversight that should maybe be fixed in errata v.next?
Or is there something more subtle or intentional here?
http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
id_token_hint OPTIONAL. ID Token previously issued by the Authorization
Server being passed as a hint about the End-User's current or past
authenticated session with the Client. * If the End-User identified by the
ID Token is logged in or is logged in by the request, then the
Authorization Server returns a positive response; otherwise, it SHOULD
return an error, such as login_required.* When possible, an id_token_hint
SHOULD be present when prompt=none is used and an invalid_request error MAY
be returned if it is not; however, the server SHOULD respond successfully
when possible, even if it is not present. The Authorization Server need not
be listed as an audience of the ID Token when it is used as an id_token_hint
value.
http://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation
If the sub (subject) Claim is requested with a specific value for the ID
Token, the *Authorization Server MUST only send a positive response if the
End-User identified by that sub value has an active session with the
Authorization Server or has been Authenticated as a result of the request.
The Authorization Server MUST NOT reply with an ID Token or Access Token
for a different user,* even if they have an active session with the
Authorization Server. Such a request can be made either using an
id_token_hint parameter or by requesting a specific Claim Value as
described in Section 5.5.1
<http://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests>,
if the claims parameter is supported by the implementation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150407/5bfb29f4/attachment.html>
More information about the Openid-specs-ab
mailing list