[Openid-specs-ab] Question about prompt=none

Takahiko Kawasaki daru.tk at gmail.com
Fri Jan 1 15:09:59 UTC 2016 

Dear All,

I have a question about prompt=none which is defined in "OpenID Connect
Core 1.0, 3.1.2.1. Authentication Request".

The description in the specification says as follows:

    The Authorization Server MUST NOT display any authentication or
    consent user interface pages. An error is returned if an End-User
    is not already authenticated or the Client does not have pre-
    configured consent for the requested Claims or does not fulfill
    other conditions for processing the request. The error code will
    typically be login_required, interaction_required, or another
    code defined in Section 3.1.2.6. This can be used as a method to
    check for existing authentication and/or consent.

If an End-User is already authenticated and the Client does not request any
claim (e.g. does not request an ID token), is it allowed to issue an
authorization code and/or an access token? For example, if a request comes
with prompt=none and response_type=code (and other necessary parameters),
is it allowed to issue an authorization code without any interaction with
the End-User? Doesn't this cause a security issue? What happens if an
End-User who has already logged in a certain SNS and he loads a malicious
HTML that makes a request to the SNS with prompt=none and
response_type=code behind the scenes without letting him know the request?

What use case justifies prompt=none? It is difficult for my poor
imagination to make up a secure use case of prompt=none (except the case of
response_type=none) unless there are undocumented conditions (e.g. an
out-of-band consent prior to a request). What were discussed in WG about
prompt=none?

If an implementation of authorization server does not provide any means for
End-Users to set "pre-configured consent" (3.1.2.1. Authentication Request)
for claims and does not provide other out-of-band consent for issuing
authorization codes and access tokens, I guess that the implementation
cannot help but reject any request with prompt=none unless it comes with
response_type=none. What do you think?


Best Regards,
Takahiko Kawasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160102/7f3f7dd8/attachment.html>

More information about the Openid-specs-ab mailing list