[Openid-specs-ab] more than one hint in OIDC request
Axel.Nennker at telekom.de
Axel.Nennker at telekom.de
Wed Apr 17 11:56:03 UTC 2024
Hi,
CIBA requires exactly ONE hint.
* Because in the CIBA flow, the OP does not have an interaction with the end-user through the consumption device, it is REQUIRED that the Client provides one (and only one) of the hints specified above in the authentication request, that is "login_hint_token", "id_token_hint" or "login_hint".
In OIDC id_token_hint and login_hint are optional, but there is no text on what the OP should do if there is more than one hint, and what to do when the hints contradict each other.
Options for prompt not none:
1. Id_token_hint takes precedent
2. Id_token_hint sub value and login_hint value are the same, than no problem
3. Id_token_hint sub value and login_hint value contradict each other, then return invalid_request
4. Id_token_hint sub value and login_hint value contradict each other, then ignore both hints and let the user enter their login identifier
5. If more than one hint is in the request, than return invalid_request
6. Write into the spec that the OP's behavior is unspecified, like in the missing -"openid"-scope case
7. Some other claim in id_token_hint and login_hint match, than no problem
8. Do not add clarifying text to the spec
Options for prompt=none:
1. Basically the same option, except 4)
In general the spec encourages the OP to be helpful. And hints are only hints.
So, I suggest adding:
```
If `prompt=none` and there are both an id_token_hint and a login_hint parameter in the request, then the id_token_hint takes precedent and the login_hint parameter SHOULD be ignored. The authorization server MUST not try to use the id_token followed by trying the login_hint or vice versa.
If there is no prompt parameter or its value is other then `none` and there are both an id_token_hint and a login_hint parameter in the request, then it is RECOMMENDED that the authorization server uses the id_token_hint.
```
What do you think?
Kind regards
Axel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20240417/8a81a602/attachment.html>
More information about the Openid-specs-ab
mailing list