[Openid-specs-ab] login_hint for Initiating Login at Client from Third Party

George Fletcher gffletch at aol.com
Thu Jun 20 15:22:53 UTC 2013


I think we have two different use cases (at least what I heard on the call).

1. The initiator of the request only knows the login_hint value and 
therefore the URL only contains the login_hint parameter. In this case 
the OAuth2 client (receiver of the URL) must determine the identity 
provider via some mechanism and then invoke that identity provider also 
passing along the login_hint value un-normalized.

2. The initiator of the request only knows (or only want to specify) the 
issuer. In this case the OAuth2 client (receiver of the URL) must direct 
the user to the specified identity provider. In some cases its possible 
that the client will be required to perform dynamic registration of 
itself to the specified identity provider before continuing the login flow.

It's mandatory for the OAuth2 client to support both use cases.

As for the 'target_link_uri' it's pretty undefined as to what 'MUST 
verify' means. Maybe that's intentional, but as an implementer it's 
pretty unclear.

Overall, this "3rd party initiated" flow seems underspecified. Like we 
are leaving out processing rules and other things. Is it critical to 
have this support in the native spec as opposed to profile or secondary 
doc? Is support for this whole concept mandatory to implement for 
Relying Parties?

Thanks,
George

On 6/20/13 11:19 AM, John Bradley wrote:
> I think Mike argued that iss be REQUIRED to avoid the client doing 
> discovery.
>
> Perhaps for login_hint OPTIONAL. A string that the client MUST send as 
> login_hint parameter value of the authorization request if present.
>
> On 2013-06-20, at 11:11 AM, Nat Sakimura <sakimura at gmail.com 
> <mailto:sakimura at gmail.com>> wrote:
>
>> What about this?
>>
>> login_hint
>>     OPTIONAL. A string that the client MUST send as login_hint
>>     parameter value of the authorization request.
>> iss
>>     OPTIONAL. Issuer Identifier for the Issuer that the Client is to
>>     send the authentication request to. Its value MUST be a URL using
>>     the https scheme.
>> target_link_uri
>>     OPTIONAL. URI of the target resource. After receiving a positive
>>     authorization response, the Client SHOULD redirect the user-agent
>>     to this URI. Clients MUST verify the value of the
>>     target_link_uri to prevent it being used as an open redirector to
>>     external sites.
>>
>>
>> 2013/6/20 Brian Campbell <bcampbell at pingidentity.com 
>> <mailto:bcampbell at pingidentity.com>>
>>
>>     The text says login_hint is required but then ends the
>>     description with "(if necessary)" which reads kind of awkwardly
>>     (to me anyway).
>>
>>     Also it says it's a "hint to the Authorization Server" but this
>>     section is defining a client endpoint. Shouldn't it say what the
>>     client is supposed to do with it? I presume it should just pass
>>     it along verbatim to the AS using the parameter of the same name.
>>     But the text here should probably say as much, no?
>>
>>     And why is login_hint required? It seems quite possible that the
>>     AS or other party (a static HTML page of links, for example)
>>     wouldn't know enough to populate that field at the point of
>>     sending a  Login Initiation Request.
>>
>>     from
>>     http://openid.net/specs/openid-connect-standard-1_0-21.html#client_Initiate_login
>>
>>
>>     "login_hint
>>         REQUIRED. Hint to the Authorization Server about the login
>>         identifier the End-User might use to log in (if necessary)."
>>
>>
>>
>>
>>
>>     _______________________________________________
>>     Openid-specs-ab mailing list
>>     Openid-specs-ab at lists.openid.net
>>     <mailto:Openid-specs-ab at lists.openid.net>
>>     http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>>
>>
>> -- 
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net 
>> <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-- 
George Fletcher <http://connect.me/gffletch>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130620/c018f0ee/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XeC
Type: image/png
Size: 80846 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130620/c018f0ee/attachment-0001.png>


More information about the Openid-specs-ab mailing list