[Openid-specs-ab] Issue #1193: prompt=create is still just a hint (openid/connect)

panva issues-reply at bitbucket.org
Tue Sep 29 09:01:38 UTC 2020


New issue 1193: prompt=create is still just a hint
https://bitbucket.org/openid/connect/issues/1193/prompt-create-is-still-just-a-hint

Filip Skokan:

> 4.1. Authorization Request  
> How the OpenID Provider handles prompt values that it fails to parse is out of scope for this specification. -or- If the OpenID Provider fails to parse the provided value\(s\) it should ignore the prompt parameter value and proceed as if the prompt parameter was not specified.

I believe this issue remains unanswered by the WG. See [https://bitbucket.org/openid/connect/issues/1101/clarify-expected-op-behaviour-upon.](https://bitbucket.org/openid/connect/issues/1101/clarify-expected-op-behaviour-upon.) My expectation is to error instead of ignore on unsupported values since not every prompt parameter value brings with it the “acknowledgement” in the form of a return parameter or claim inside the ID Token \(e.g. none, consent, this one\). This needs to be solved on a higher level since it is unsuitable for every extension prompt parameter value to be definings its own “unrecognized” handling.

> Appendix C. Document History  
> 2019-10-02  
> Incorporated feedback from the working group. Add text around prompt=create being more than a hint but an expectation of an action to be performed.

Where is this incorporated? Since there's no normative language saying a new registration must be processed or any feedback back to the RP that a new registration was actually performed this extension indeed is still just a UX hint. As a matter of fact the specification doesn't even say anything about the expected behaviour when an OP already tracks an authenticated session. Should the prompt=create behave like prompt=login then?

‌

**As-is prompt=create does not fulfil my expectation of what a prompt parameter value should be, it is still only a simple hint. It is not a behaviour prescription, nor does it come with feedback to the RP.** Maybe all it would take is to register a registered\_at/created\_at OIDC unix timestamp claim and ensure that one is returned when prompt=create is used.

Responsible: gffletch



More information about the Openid-specs-ab mailing list