[Openid-specs-ab] login_hint for Initiating Login at Client from Third Party

Brian Campbell bcampbell at pingidentity.com
Thu Jun 20 16:03:33 UTC 2013


so this will be tracked and not forgotten about:
https://bitbucket.org/openid/connect/issue/850/login_hint-for-initiating-login-at-client


On Thu, Jun 20, 2013 at 9:45 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> The problem was the login process we have MUST be initiated by the client
> per OAuth.
>
> There was no way for  a 3rd party to initiate the login due to concerns
> about logging users into sites in the background without there consent.
>
> The uses for this are:
> 1. Account chooser providing discovery info to the client for kicking off
> a generic login.
> 2.  The IdP having a bookmark service that directly logs the user into the
> client.
> 3. Deep linking content type services, where you may be logged into
> provider A that provides a link to a resource at client B and knows
> credentials for you that it or someone else has that you need to get to the
> resource at B.   This is common in all sorts of content provider services.
>
> At the moment for SAML one common hack is to bake the IdP into the target
> URI somehow or try and guess based on referrer.   What you don't want is to
> pop up another discovery dialog at the client before the user is directed
> back to the IdP.  Ideally if the user has previously connected to logging
> into the client everything happens in the background and to them it just
> looks like they are following a link.
>
> John B.
>
> On 2013-06-20, at 11:25 AM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
>
> I think the “MUST” in the login_hint language below is confusing.****
>
> If we don’t require that the issuer be specified, we have to say how to
> figure out what it is.****
>
> I guess  part of the confusion is what this is for.  I’d thought that it
> was “please log this user in at this IdP”.  If we make everything optional
> it becomes something closer to “please have the user log at your RP”.
> Before revising the text, we probably want to be clear among ourselves what
> it’s trying to accomplish.****
>
>                                                             -- Mike****
>
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:openid-
> specs-ab-bounces at lists.openid.net]*On Behalf Of *John Bradley
> *Sent:* Thursday, June 20, 2013 8:20 AM
> *To:* Nat Sakimura
> *Cc:* <openid-specs-ab at lists.openid.net>
> *Subject:* Re: [Openid-specs-ab] login_hint for Initiating Login at
> Client from Third Party****
> ** **
> I think Mike argued that iss be REQUIRED to avoid the client doing
> discovery.****
> ** **
> Perhaps for login_hint OPTIONAL. A string that the client MUST send as
> login_hint parameter value of the authorization request if present.****
> ** **
> On 2013-06-20, at 11:11 AM, Nat Sakimura <sakimura at gmail.com> wrote:****
>
>
> ****
> What about this? ****
>
> login_hint****
> OPTIONAL. A string that the client MUST send as login_hint parameter value
> of the authorization request.****
> iss****
> OPTIONAL. Issuer Identifier for the Issuer that the Client is to send the
> authentication request to. Its value MUST be a URL using the https scheme.
> ****
> target_link_uri****
> OPTIONAL. URI of the target resource. After receiving a positive
> authorization response, the Client SHOULD redirect the user-agent to this
> URI. Clients MUST verify the value of the target_link_uri to prevent it
> being used as an open redirector to external sites.****
>
> ** **
> 2013/6/20 Brian Campbell <bcampbell at pingidentity.com>****
> The text says login_hint is required but then ends the description with
> "(if necessary)" which reads kind of awkwardly (to me anyway).****
> ** **
> Also it says it's a "hint to the Authorization Server" but this section is
> defining a client endpoint. Shouldn't it say what the client is supposed to
> do with it? I presume it should just pass it along verbatim to the AS using
> the parameter of the same name. But the text here should probably say as
> much, no?****
>
> And why is login_hint required? It seems quite possible that the AS or
> other party (a static HTML page of links, for example) wouldn't know enough
> to populate that field at the point of sending a  Login Initiation Request.
> ****
> from
> http://openid.net/specs/openid-connect-standard-1_0-21.html#client_Initiate_login
> ****
> "login_hint****
> REQUIRED. Hint to the Authorization Server about the login identifier the
> End-User might use to log in (if necessary)."****
> ** **
>
> ** **
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab****
>
>
> ****
> ** **
> --
> Nat Sakimura (=nat)****
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en****
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab****
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130620/d97b4251/attachment.html>


More information about the Openid-specs-ab mailing list