[Openid-specs-ab] What error should be returned when prompt=none used and the user is not logged in?

Mike Jones Michael.Jones at microsoft.com
Thu Oct 3 00:56:17 UTC 2013


I agree with this.  The question was scoped to the situation where you can't satisfy it and need the id_token_hint.

On another topic - I'd asked this on another thread, but hadn't heard back...  What are the locations of your check_session_iframe and end_session_endpoint endpoints, Googlers?  We'd like to do session management interop testing before we take the specs final.

				-- Mike

-----Original Message-----
From: Breno de Medeiros [mailto:breno at google.com] 
Sent: Wednesday, October 02, 2013 5:50 PM
To: Mike Jones
Cc: openid-specs-ab at lists.openid.net; Naveen Agarwal
Subject: Re: What error should be returned when prompt=none used and the user is not logged in?

What about trying to satisfy the request when possible -- for instance, if there's a signed-in user that has approved the application in the past, it may make sense to return an id_token for the user?

On Wed, Oct 2, 2013 at 5:46 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> Thanks - we'll go with login_required then.  How about the other 
> question "What error should be returned when prompt=none and no 
> id_token_hint is present and is required?"  Is invalid_request good 
> for that, as far as you're concerned?
>
>
>
>                                                             -- Mike
>
>
>
> From: Breno de Medeiros [mailto:breno at google.com]
> Sent: Wednesday, October 02, 2013 5:43 PM
>
>
> To: Mike Jones
> Cc: openid-specs-ab at lists.openid.net; Naveen Agarwal
> Subject: RE: What error should be returned when prompt=none used and 
> the user is not logged in?
>
>
>
> On Oct 2, 2013 12:30 PM, "Mike Jones" <Michael.Jones at microsoft.com> wrote:
>
> If the user isn't logged in, how can you issue an ID Token?
>
>
>
> Sorry, I lost context, I thought the question was about prompt=login, 
> but it it about prompt=none.
>
>
>
> Today Google's IDP returns 'error=immediate_failed". It should be 
> possible to return login_required instead.
>
>
>
>
>
>
>
>
>
> From: Breno de Medeiros [mailto:breno at google.com]
> Sent: Wednesday, October 02, 2013 12:27 PM
> To: Mike Jones
> Cc: openid-specs-ab at lists.openid.net; Naveen Agarwal
> Subject: RE: What error should be returned when prompt=none used and 
> the user is not logged in?
>
>
>
> There is no need for an error. We issue a regular assertion w/o a 
> reauth clause.
>
> On Oct 2, 2013 12:21 PM, "Mike Jones" <Michael.Jones at microsoft.com> wrote:
>
> What error do you return in this case?
>
> -----Original Message-----
> From: Breno de Medeiros [mailto:breno at google.com]
> Sent: Wednesday, October 02, 2013 12:16 PM
> To: Mike Jones
> Cc: Naveen Agarwal; openid-specs-ab at lists.openid.net
> Subject: Re: What error should be returned when prompt=none used and 
> the user is not logged in?
>
> I am unaware of implementations of login_required.
>
> On Wed, Oct 2, 2013 at 12:00 PM, Mike Jones 
> <Michael.Jones at microsoft.com>
> wrote:
>> Googlers, can you be sure to reply to this thread?
>>
>>
>>
>>
>> Thanks,
>>
>>                                                                 -- 
>> Mike
>>
>>
>>
>> From: openid-specs-ab-bounces at lists.openid.net
>> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike 
>> Jones
>> Sent: Wednesday, October 02, 2013 11:36 AM
>> To: openid-specs-ab at lists.openid.net
>> Subject: [Openid-specs-ab] What error should be returned when 
>> prompt=none used and the user is not logged in?
>>
>>
>>
>> login_required?
>>
>>
>>
>> What are implementations in production use returning in this case?
>>
>>
>>
>>                                                                 -- 
>> Mike
>>
>>
>
>
>
> --
> --Breno



--
--Breno


More information about the Openid-specs-ab mailing list