[Openid-specs-ab] Issue #1047: session_state - upon authentication failure? (openid/connect)
Filip Skokan
issues-reply at bitbucket.org
Sat Aug 25 09:43:19 UTC 2018
New issue 1047: session_state - upon authentication failure?
https://bitbucket.org/openid/connect/issues/1047/session_state-upon-authentication-failure
Filip Skokan:
from: https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.3
> When the OP supports session management, it MUST also return the Session State as an additional session_state parameter in the Authentication Response. The OpenID Connect Authentication Response is specified in Section 3.1.2.5 of OpenID Connect Core 1.0.
Section 3.1.2.5 of Core 1.0 is `Successful Authentication Response`
And yet https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.4.1 at the end of the section says
> Note that the session state is origin bound. **Session state SHOULD be returned upon an authentication failure.**
Should `session_state` be returned with error responses too?
More information about the Openid-specs-ab
mailing list