[Openid-specs-ab] Issue #1395: usage of id_token_hint in OIDC.Core (openid/connect)
Kristina Yasuda
issues-reply at bitbucket.org
Tue Jan 18 19:30:30 UTC 2022
New issue 1395: usage of id_token_hint in OIDC.Core
https://bitbucket.org/openid/connect/issues/1395/usage-of-id_token_hint-in-oidccore
Kristina Yasuda:
I have encountered an interpretation that a language used in [Section 3.1.2.1 Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) of OIDC.Core “If the End-User identifier by the ID Token \(in the id\_token\_hint\) is logged in or **is logged in by the request**, then the AS returns a positive response“ means that ID Token in the id\_token\_hint can be used to log in the user.
If the part “If the End-User identifier by the ID Token is logged in“ means “If id\_token\_hint was used to identify user’s existing session with the AS“, as I have heard being pointed out several times, could someone please clarify what is meant by “If the End-User identifier by the ID Token **is logged in by the request** \(without a prompt\)“? Since I have also been pointed out several times that id\_token\_hint must not be used to log in \(re-authenticate\) the user.
Is there a place where best practice of id\_token\_hint is documented? Suggest clarification is added in the errata 2 of OIDC.Core that I think it being prepared.
More information about the Openid-specs-ab
mailing list