[Openid-specs-ab] Issue #878: Messages 2.1.1.1 Define "negative response" for id_token_hint (openid/connect)

Vladimir Dzhuvinov issues-reply at bitbucket.org
Mon Sep 30 09:08:19 UTC 2013


New issue 878: Messages 2.1.1.1 Define "negative response" for id_token_hint
https://bitbucket.org/openid/connect/issue/878/messages-2111-define-negative-response-for

Vladimir Dzhuvinov:

Hi guys,

id_token_hint : The spec says that the server SHOULD return a "negative response" if the required subject isn't logged in. We have found out that for proper client / server interop there has to be an agreed error code for that.

The base OAuth 2.0 "access_denied" error is one possible candidate for that, but is too general.

The OIDC error "login_required" seems more specific, and it also ties nicely with the (common?) id_token_hint case when it is used with prompt=none.

Finally, what error should the server return if prompt=none and the server's policy expects an id_token_hint, but it is missing in the authz request? invalid_request?

What are the security implications of not requiring an id_token_hint with prompt=none?

Thanks,

Vladimir




More information about the Openid-specs-ab mailing list