[Openid-specs-ab] login_hint for Initiating Login at Client from Third Party
sakimura at gmail.com
Thu Jun 20 15:11:25 UTC 2013
What about this?
login_hintOPTIONAL. A string that the client MUST send as login_hint
parameter value of the authorization request.issOPTIONAL. Issuer Identifier
for the Issuer that the Client is to send the authentication request to.
Its value MUST be a URL using the https scheme.target_link_uriOPTIONAL. URI
of the target resource. After receiving a positive authorization
response, the Client SHOULD redirect the user-agent to this URI. Clients
MUST verify the value of the target_link_uri to prevent it being used as an
open redirector to external sites.
2013/6/20 Brian Campbell <bcampbell at pingidentity.com>
> The text says login_hint is required but then ends the description with
> "(if necessary)" which reads kind of awkwardly (to me anyway).
> Also it says it's a "hint to the Authorization Server" but this section is
> defining a client endpoint. Shouldn't it say what the client is supposed to
> do with it? I presume it should just pass it along verbatim to the AS using
> the parameter of the same name. But the text here should probably say as
> much, no?
> And why is login_hint required? It seems quite possible that the AS or
> other party (a static HTML page of links, for example) wouldn't know enough
> to populate that field at the point of sending a Login Initiation Request.
> "login_hint REQUIRED. Hint to the Authorization Server about the login
> identifier the End-User might use to log in (if necessary)."
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab