[Openid-specs-ab] login_hint for Initiating Login at Client from Third Party

John Bradley ve7jtb at ve7jtb.com
Thu Jun 20 15:45:18 UTC 2013


The problem was the login process we have MUST be initiated by the client per OAuth.

There was no way for  a 3rd party to initiate the login due to concerns about logging users into sites in the background without there consent.

The uses for this are:
1. Account chooser providing discovery info to the client for kicking off a generic login.
2.  The IdP having a bookmark service that directly logs the user into the client.
3. Deep linking content type services, where you may be logged into provider A that provides a link to a resource at client B and knows credentials for you that it or someone else has that you need to get to the resource at B.   This is common in all sorts of content provider services.  

At the moment for SAML one common hack is to bake the IdP into the target URI somehow or try and guess based on referrer.   What you don't want is to pop up another discovery dialog at the client before the user is directed back to the IdP.  Ideally if the user has previously connected to logging into the client everything happens in the background and to them it just looks like they are following a link.

John B.

On 2013-06-20, at 11:25 AM, Mike Jones <Michael.Jones at microsoft.com> wrote:

> I think the “MUST” in the login_hint language below is confusing.
>  
> If we don’t require that the issuer be specified, we have to say how to figure out what it is.
>  
> I guess  part of the confusion is what this is for.  I’d thought that it was “please log this user in at this IdP”.  If we make everything optional it becomes something closer to “please have the user log at your RP”.  Before revising the text, we probably want to be clear among ourselves what it’s trying to accomplish.
>  
>                                                             -- Mike
>  
> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net]On Behalf Of John Bradley
> Sent: Thursday, June 20, 2013 8:20 AM
> To: Nat Sakimura
> Cc: <openid-specs-ab at lists.openid.net>
> Subject: Re: [Openid-specs-ab] login_hint for Initiating Login at Client from Third Party
>  
> I think Mike argued that iss be REQUIRED to avoid the client doing discovery.
>  
> Perhaps for login_hint OPTIONAL. A string that the client MUST send as login_hint parameter value of the authorization request if present.
>  
> On 2013-06-20, at 11:11 AM, Nat Sakimura <sakimura at gmail.com> wrote:
> 
> 
> What about this? 
>  
> login_hint
> OPTIONAL. A string that the client MUST send as login_hint parameter value of the authorization request.
> iss
> OPTIONAL. Issuer Identifier for the Issuer that the Client is to send the authentication request to. Its value MUST be a URL using the https scheme.
> target_link_uri
> OPTIONAL. URI of the target resource. After receiving a positive authorization response, the Client SHOULD redirect the user-agent to this URI. Clients MUST verify the value of the target_link_uri to prevent it being used as an open redirector to external sites.
>  
> 
> 2013/6/20 Brian Campbell <bcampbell at pingidentity.com>
> The text says login_hint is required but then ends the description with "(if necessary)" which reads kind of awkwardly (to me anyway).
>  
> Also it says it's a "hint to the Authorization Server" but this section is defining a client endpoint. Shouldn't it say what the client is supposed to do with it? I presume it should just pass it along verbatim to the AS using the parameter of the same name. But the text here should probably say as much, no?
> And why is login_hint required? It seems quite possible that the AS or other party (a static HTML page of links, for example) wouldn't know enough to populate that field at the point of sending a  Login Initiation Request.
> 
> from http://openid.net/specs/openid-connect-standard-1_0-21.html#client_Initiate_login
> "login_hint
> REQUIRED. Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary)."
>  
>  
> 
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
> 
> 
>  
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130620/d93ee765/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130620/d93ee765/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list