[Openid-specs-ab] Submission: prompt=create draft spec

George Fletcher gffletch at aol.com
Fri Feb 1 16:57:48 UTC 2019 

I'm not sure this makes sense. The OpenID Connect spec says...

login
    The Authorization Server SHOULD prompt the End-User for
    reauthentication. If it cannot reauthenticate the End-User, it MUST
    return an error, typicallylogin_required.

In this particular case, since the desire is for the user to create a 
new account, the user may not need to login.

That said, I'm updating the spec to make 'prompt=create' more of a hint 
to the OP rather than a requirement of what the OP MUST do.

Thanks,
George

P.S. New version to be posted shortly :)

On 1/31/19 9:33 PM, nov matake via Openid-specs-ab wrote:
> Hi George,
>
> Even when RP requests "prompt=create", IdP can allow logging into 
> existing account on its signup page.
> eg.,) https://login.aol.com/account/create
>
> So that, allowing "prompt=create login” seems meaningful to me.
>
> nov
>
>> On Feb 1, 2019, at 9:40, Brock Allen via Openid-specs-ab 
>> <openid-specs-ab at lists.openid.net 
>> <mailto:openid-specs-ab at lists.openid.net>> wrote:
>>
>> Do you have a concrete example of how a client would know to send 
>> prompt=create?
>>
>> I ask because my first reaction is that given the client doesn't 
>> authenticate the user, it has no idea if the user has an account or 
>> not, so how/why would it know to send this value?
>>
>> Or are you simply imaging the scenario where the client shows a 
>> "login" or "register" link, rather than getting the OP to do that?
>>
>> -Brock
>>
>>> On 1/31/2019 3:46:26 PM, George Fletcher via Openid-specs-ab 
>>> <openid-specs-ab at lists.openid.net 
>>> <mailto:openid-specs-ab at lists.openid.net>> wrote:
>>>
>>> Thanks so much for the quick feedback William! Comments inline...
>>>
>>> On 1/31/19 12:45 PM, William Denniss wrote:
>>>> Hi George,
>>>>
>>>> Some quick review thoughts:
>>>>
>>>> Section 4 Why is there a prohibition on combining "create" with 
>>>> other prompt values? What if a future prompt value was added that 
>>>> was compatible with "create"?
>>> My thinking (though I'm open to options) is that there are many 
>>> values that can be mutually exclusive. For example, what does 
>>> prompt="create consent" mean? I'm happy to reduce this to SHOULD to 
>>> allow for future possibilities. Or change the wording to explain 
>>> that other prompt values that conflict with "create" should not be used.
>>>>
>>>> Section 4.1, "the account creation experience" isn't defined by any 
>>>> OpenID spec, so requiring it with a MUST could be problematic. 
>>>> Also, most guidance on the UI shown by the OP is generally in the 
>>>> form of recommendations not normative requirements (e.g. around 
>>>> scope consent screens).
>>> OK, I'm fine changing this to a SHOULD if that makes things more 
>>> acceptable :)
>>>>
>>>> As background, how would you expect this to be shown on the client? 
>>>> Two different buttons, one to connect an existing account, one to 
>>>> create a new account? Might be worth a non-normative discussion in 
>>>> the doc about how the clients might use this.
>>> More or less, yes:) There are some use cases where the client may 
>>> want to allow the user to choose between the options (sign-up vs 
>>> sign-in) before starting the authentication flow. I don't think it 
>>> precludes the OP from having to know that a client started an 
>>> authenticate flow, the user chose the sign-up link/button and then 
>>> at the end of registration the OP needs to redirect back to the 
>>> client with a code. However, it does allow the client to optimize 
>>> the experience.
>>>
>>> Thanks again,
>>> George
>>>>
>>>> William
>>>>
>>>>
>>>> On Thu, Jan 31, 2019 at 9:19 AM George Fletcher via Openid-specs-ab 
>>>> <openid-specs-ab at lists.openid.net 
>>>> <mailto:openid-specs-ab at lists.openid.net>> wrote:
>>>>
>>>>     I've attached both the XML and Text versions of a very small
>>>>     spec that
>>>>     defines a new parameter value for the 'prompt' parameter that
>>>>     allows the
>>>>     client to request the user go directly to the account creation
>>>>     flow and
>>>>     when the user has successfully created the account, return a
>>>>     'code' to
>>>>     the client. This improves the user experience by allowing the
>>>>     client to
>>>>     direct the user directly to the account creation page.
>>>>
>>>>     Feedback greatly appreciated!
>>>>
>>>>     Thanks,
>>>>     George
>>>>
>>>>
>>>>     _______________________________________________
>>>>     Openid-specs-ab mailing list
>>>>     Openid-specs-ab at lists.openid.net
>>>>     <mailto:Openid-specs-ab at lists.openid.net>
>>>>     http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net 
>> <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190201/7af552ce/attachment.html>

More information about the Openid-specs-ab mailing list