[Openid-specs-ab] Fwd: [OAUTH-WG] prompt parameter for Authorization Request

Nat Sakimura sakimura at gmail.com
Fri Sep 14 05:06:10 UTC 2012

---------- Forwarded message ----------
From: Lewis Adam-CAL022 <Adam.Lewis at motorolasolutions.com>
Date: Fri, Sep 14, 2012 at 5:36 AM
Subject: [OAUTH-WG] prompt parameter for Authorization Request
To: "oauth at ietf.org" <oauth at ietf.org>


OpenID Connect defines a parameter for the Authorization Request that
I really like a lot, the prompt parameter which can force the AS to
re-challenge the user for primary authentication.

This would be a nice feature to have for OAuth too.

I have some high assurance use cases where my resource servers will
require a certain “freshness” of the access token.  The RS will only
accept a AT within a certain lifetime (say for example 1hr).  If a
client presents an AT to the RS that was minted over 1hr ago, the RS
(via its RESTful API) will return an error message indicating such to
the client.  Further, the RS requires explicit re-authentication of
the end user (by the AS) to obtain a new token.

However, if the UA still has an active session with the AS, the AS
will not know to re-prompt for primary auth.

Hence having a PROMPT parameter in OAuth would be ideal.

Obviously, the train has left the station in terms of the core draft.
But I’m wondering if anybody else has come across such use cases



OAuth mailing list
OAuth at ietf.org

Nat Sakimura (=nat)
Chairman, OpenID Foundation

More information about the Openid-specs-ab mailing list