[Openid-specs-ab] Submission: prompt=create draft spec
George Fletcher
gffletch at aol.com
Thu Jan 31 17:19:11 UTC 2019
I've attached both the XML and Text versions of a very small spec that
defines a new parameter value for the 'prompt' parameter that allows the
client to request the user go directly to the account creation flow and
when the user has successfully created the account, return a 'code' to
the client. This improves the user experience by allowing the client to
direct the user directly to the account creation page.
Feedback greatly appreciated!
Thanks,
George
-------------- next part --------------
A non-text attachment was scrubbed...
Name: draft-openid-connect-prompt-create-01.xml
Type: text/xml
Size: 10663 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190131/41ad5ed1/attachment.xml>
-------------- next part --------------
G. Fletcher
Verizon Media
January 31, 2019
Initiating User Registration via OpenID Connect
draft-openid-connect-prompt-create-01
Abstract
An extension to the OpenID Connect Authentication Framework defining
a new value for the "prompt" parameter that instructs the OpenID
Provider to start the user flow with user registration and after the
user account has been created return an authorization code to the
client to complete the authentication flow.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 1
2. Requirements Notation and Conventions . . . . . . . . . . . . 2
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
4. Prompt Parameter . . . . . . . . . . . . . . . . . . . . . . 2
4.1. Authorization Request . . . . . . . . . . . . . . . . . . 2
5. Security Considerations . . . . . . . . . . . . . . . . . . . 3
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 3
6.1. Normative References . . . . . . . . . . . . . . . . . . 3
6.2. Informative References . . . . . . . . . . . . . . . . . 4
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 4
Appendix B. Document History . . . . . . . . . . . . . . . . . . 5
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction
Several years of deployment and implementation experience with OpenID
Connect Core 1.0 [OpenID.Core] has uncovered a need, in some
circumstances, for the client to explicitly signal to the OpenID
Provider that the user desires to create a new account rather than
authenticate an existing identity.
This allows the client to indicate to the OpenID Provider that the
user desires to create an account. This improves the user experience
because the user doesn't have to first see the login form and then
find the sign-up link on the form and select it before getting to the
user's desired action.
This specification defines a new parameter value for the "prompt"
parameter.
Fletcher Expires August 4, 2019 [Page 1]
OIDC Prompt Create January 2019
2. Requirements Notation and Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119].
In the .txt version of this specification, values are quoted to
indicate that they are to be taken literally. When using these
values in protocol messages, the quotes MUST NOT be used as part of
the value. In the HTML version of this specification, values to be
taken literally are indicated by the use of "this fixed-width font".
3. Terminology
This specification uses the terms "authorization endpoint",
"authorization request", "authorization response", and "client"
defined by The OAuth 2.0 Authorization Framework [RFC6749].
4. Prompt Parameter
In requests to the OpenID Provider, a client MAY indicate that the
desired user experience is for the user to immediately see the user
account creation UI instead of the login behavior.
prompt
A value of "create" indicates to the OpenID Provider that the user
should be shown the account creation UX rather than the login
flow. This value MUST NOT be used in combination with any other
"prompt" values.
4.1. Authorization Request
When the "prompt" parameter is used in an authorization request to
the authorization endpoint with the value of "create", it indicates
that the user MUST be shown the account creation experience rather
than the login experience. This behavior is the same for both the
implicit flow (Section 4.2 of OAuth 2.0 [RFC6749]), and the
authorization code flow (Section 4.1 of OAuth 2.0 [RFC6749]).
For authorization requests sent as a JWTs, such as when using JWT
Secured Authorization Request [I-D.ietf-oauth-jwsreq], a single
"prompt" parameter value is represented as a JSON string while
multiple values are represented as an array of strings.
If the OpenID Provider fails to parse the provided value(s) it should
ignore the "prompt" parameter value and proceed as if the "prompt"
parameter was not specified.
Fletcher Expires August 4, 2019 [Page 2]
OIDC Prompt Create January 2019
An example of an authorization request where the client tells the
OpenID Provider that it wants the user to start from the account
creation user experience is shown in Figure 1 below (extra line
breaks and indentation are for display purposes only).
GET /as/authorization.oauth2?response_type=token
&client_id=example-client
&state=XzZaJlcwYew1u0QBrRv_Gw
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Eorg%2Fcb
&prompt=create HTTP/1.1
Host: authorization-server.example.com
Figure 1: Implicit Flow Authorization Request
Below in Figure 2 is an example of an authorization request using the
"code" response type where the the client tells the OpenID Provider
that it wants the user to start from the account creation user
experience (extra line breaks and indentation are for display
purposes only).
GET /as/authorization.oauth2?response_type=code
&client_id=s6BhdRkqt3
&state=tNwzQ87pC6llebpmac_IDeeq-mCR2wLDYljHUZUAWuI
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Eorg%2Fcb
&scope=calendar%20contacts
&prompt=create HTTP/1.1
Host: authorization-server.example.com
Figure 2: Code Flow Authorization Request
5. Security Considerations
Placeholder for now
6. References
6.1. Normative References
[OpenID.Core]
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and
C. Mortimore, "OpenID Connect Core 1.0", November 2014,
<http://openid.net/specs/openid-connect-core-1_0.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
Fletcher Expires August 4, 2019 [Page 3]
OIDC Prompt Create January 2019
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>.
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
RFC 6749, DOI 10.17487/RFC6749, October 2012,
<https://www.rfc-editor.org/info/rfc6749>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
6.2. Informative References
[I-D.ietf-oauth-jwsreq]
Sakimura, N. and J. Bradley, "The OAuth 2.0 Authorization
Framework: JWT Secured Authorization Request (JAR)",
draft-ietf-oauth-jwsreq-16 (work in progress), April 2018.
[RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
Framework: Bearer Token Usage", RFC 6750,
DOI 10.17487/RFC6750, October 2012,
<https://www.rfc-editor.org/info/rfc6750>.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<https://www.rfc-editor.org/info/rfc7519>.
[RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E.,
and C. Mortimore, "System for Cross-domain Identity
Management: Protocol", RFC 7644, DOI 10.17487/RFC7644,
September 2015, <https://www.rfc-editor.org/info/rfc7644>.
[RFC7662] Richer, J., Ed., "OAuth 2.0 Token Introspection",
RFC 7662, DOI 10.17487/RFC7662, October 2015,
<https://www.rfc-editor.org/info/rfc7662>.
Appendix A. Acknowledgements
This specification was developed within the OAuth Working Group under
the chairmanship of Hannes Tschofenig and Rifaat Shekh-Yusef with
Eric Rescorla and Benjamin Kaduk serving as Security Area Directors.
Additionally, the following individuals contributed ideas, feedback,
and wording that helped shape this specification:
Placeholder
Fletcher Expires August 4, 2019 [Page 4]
OIDC Prompt Create January 2019
Appendix B. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]]
Author's Address
George Fletcher
Verizon Media
Email: gffletch at aol.com
Fletcher Expires August 4, 2019 [Page 5]
More information about the Openid-specs-ab
mailing list