[Openid-specs-ab] login_hint for Initiating Login at Client from Third Party

Mike Jones Michael.Jones at microsoft.com
Thu Jun 20 15:25:12 UTC 2013


I think the "MUST" in the login_hint language below is confusing.

If we don't require that the issuer be specified, we have to say how to figure out what it is.

I guess  part of the confusion is what this is for.  I'd thought that it was "please log this user in at this IdP".  If we make everything optional it becomes something closer to "please have the user log at your RP".  Before revising the text, we probably want to be clear among ourselves what it's trying to accomplish.

                                                            -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of John Bradley
Sent: Thursday, June 20, 2013 8:20 AM
To: Nat Sakimura
Cc: <openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] login_hint for Initiating Login at Client from Third Party

I think Mike argued that iss be REQUIRED to avoid the client doing discovery.

Perhaps for login_hint OPTIONAL. A string that the client MUST send as login_hint parameter value of the authorization request if present.

On 2013-06-20, at 11:11 AM, Nat Sakimura <sakimura at gmail.com<mailto:sakimura at gmail.com>> wrote:


What about this?

login_hint
OPTIONAL. A string that the client MUST send as login_hint parameter value of the authorization request.
iss
OPTIONAL. Issuer Identifier for the Issuer that the Client is to send the authentication request to. Its value MUST be a URL using the https scheme.
target_link_uri
OPTIONAL. URI of the target resource. After receiving a positive authorization response, the Client SHOULD redirect the user-agent to this URI. Clients MUST verify the value of the target_link_uri to prevent it being used as an open redirector to external sites.

2013/6/20 Brian Campbell <bcampbell at pingidentity.com<mailto:bcampbell at pingidentity.com>>
The text says login_hint is required but then ends the description with "(if necessary)" which reads kind of awkwardly (to me anyway).

Also it says it's a "hint to the Authorization Server" but this section is defining a client endpoint. Shouldn't it say what the client is supposed to do with it? I presume it should just pass it along verbatim to the AS using the parameter of the same name. But the text here should probably say as much, no?

And why is login_hint required? It seems quite possible that the AS or other party (a static HTML page of links, for example) wouldn't know enough to populate that field at the point of sending a  Login Initiation Request.
from http://openid.net/specs/openid-connect-standard-1_0-21.html#client_Initiate_login
"login_hint
REQUIRED. Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary)."



_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130620/60dfb5b1/attachment.html>


More information about the Openid-specs-ab mailing list