[Openid-specs-ab] Requested user alias

John Bradley ve7jtb at ve7jtb.com
Thu Jul 5 13:42:32 UTC 2012


In talking to a number of people, and looking at account chooser.

What seems to be required is to send an alias for the user to the IdP requesting that the person be prompted to login to this account.

The alias may be in email form or something else. 

I think that is different from saying only return a login if the person's email matches this.

There are two slightly different versions of this.

One is where the user is defaulted to the account in the hint, but can select another account.
The other is the user is only given the option of authenticating with that account, and can't select another at the IdP.

I suspect there are use-cases for both, but the second is much harder for the client to depend on, and may introduce risks if the IdP is not compliant.

I think with account chooser this will be common enough to warrant it being a query parameter rather than in the request object.

We need to be careful that we don't mislead people into thinking that this is a way to verify an email, as that will go horribly wrong the first time a IdP allows account selection.

I think we should add a new query parameter for the authorization endpoint "user_alias".

This is an alias for the account the user wishes to authenticate with.  The IdP may display the name sent or some other string, or graphic to prompt the user.


As a flow I would expect the RP to send me to account chooser where I select the account I want to use.  
Account chooser sends back something in the form of an email / acct: URI.

The Client performs discovery on it getting the issuer.

The portion of the acct: uri before the @ could be a simple name or it could be some other signed object generated by the IdP perhaps containing the user's pre consent to releasing particular attributes, or even an id_token generated dynamically by the IdP (acct chooser as proxy in implicit flow)

That object  acct:xxx at example.com would then be passed in "user_alias" to the authorization endpoint, where the user would be prompted if they need to enter credentials or other authorization,  or not if the user is already authenticated.

John B.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4937 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120705/3564553f/attachment.p7s>


More information about the Openid-specs-ab mailing list