[Openid-specs-ab] Issue #1046: Core 3.1.2.1. - id_token_hint (openid/connect)
Torsten Lodderstedt
issues-reply at bitbucket.org
Fri Aug 24 10:35:45 UTC 2018
New issue 1046: Core 3.1.2.1. - id_token_hint
https://bitbucket.org/openid/connect/issues/1046/core-3121-id_token_hint
Torsten Lodderstedt:
Description of id_token_hint, 2nd sentence states:
"If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return an error, such as login_required."
This statement forces the OP to treat the id_token_hint as an essential requirement of the authentication transaction's outcome. This differs substantially from the login_hint's specified behavior. I think either the "hint" suffix is misleading or the text should be softened to allow the OP to also identify another user account. I prefer the latter since this allows the RP to utilize an existing ID token the same way as an e-Mail address as a hint to simplify the login experience.
More information about the Openid-specs-ab
mailing list