[Openid-specs-ab] Issue #906: Core- 2.1.2.2 Authentication Request Validation - bullet 4. (openid/connect)

Nat Sakimura issues-reply at bitbucket.org
Mon Dec 2 15:56:45 UTC 2013


New issue 906: Core- 2.1.2.2 Authentication Request Validation - bullet 4.
https://bitbucket.org/openid/connect/issue/906/core-2122-authentication-request

Nat Sakimura:

The bullet 4 currently states: 

4.	If the sub (subject) Claim is requested with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server. 

While it is understandable, it also sounds as if the server has to have an established session when the user agent arrives at the server. This is not the case, and unless prompt=none is specified, the server can re-authenticate the user to the desired sub, and return the response. 

Suggests: 

4.	If the sub (subject) Claim is requested with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User is authenticated as the user identified by that sub value either with an active session with the Authorization Server or by re-Authenticating the user. 




More information about the Openid-specs-ab mailing list