[Openid-specs-ab] [openid/connect] Messages - 2.1.2 Authorization Request - id_token error condition needed (issue #610)

Nat Sakimura issues-reply at bitbucket.org
Sun Jul 1 09:59:02 UTC 2012


--- you can reply above this line ---

New issue 610: Messages - 2.1.2 Authorization Request - id_token error condition needed
https://bitbucket.org/openid/connect/issue/610/messages-212-authorization-request

Nat Sakimura:

In 2.1.2, it is defined as: 

**id_token**
OPTIONAL. An ID Token passed to the Authorization server as a hint about the user's current or past authenticated session with the client. This SHOULD be present if prompt=none is sent.

We need to specify the behavior of the IdP for each prompt type. 

* Case 1: the user specified via id_token and the only user at the IdP matches
* Case 2: the user specified via id_token is one of the current user at the IdP. 
* Case 3: the user specified via id_token and the user at the IdP does not match
* Case 4: when there is no user at the IdP

Examples

* E1: prompt=none + Case 2 => the user specified via id_token MUST be returned. 
* E2: prompt=login + Case 4 => Only the user specified in id_token is allowed for the successful authentication. 
* E3: prompt=login + Case 3 => Same as E2

etc. 



--

This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.


More information about the Openid-specs-ab mailing list