[Openid-specs-ab] Issue #878: Messages 18.104.22.168 Define "negative response" for id_token_hint (openid/connect)
issues-reply at bitbucket.org
Mon Sep 30 09:08:19 UTC 2013
New issue 878: Messages 22.214.171.124 Define "negative response" for id_token_hint
id_token_hint : The spec says that the server SHOULD return a "negative response" if the required subject isn't logged in. We have found out that for proper client / server interop there has to be an agreed error code for that.
The base OAuth 2.0 "access_denied" error is one possible candidate for that, but is too general.
The OIDC error "login_required" seems more specific, and it also ties nicely with the (common?) id_token_hint case when it is used with prompt=none.
Finally, what error should the server return if prompt=none and the server's policy expects an id_token_hint, but it is missing in the authz request? invalid_request?
What are the security implications of not requiring an id_token_hint with prompt=none?
More information about the Openid-specs-ab