[Openid-specs-ab] Limiting a login request to a specific user

Takahiko Kawasaki daru.tk at gmail.com
Tue Sep 23 10:57:46 UTC 2014


"OpenID Connect Core 1.0, 3.1.2.2. Authentication Request Validation"
says as follows:

> If the sub (subject) Claim is requested with a specific value
> for the ID Token, the Authorization Server MUST only send a
> positive response if the End-User identified by that sub value
> has an active session with the Authorization Server or has been
> Authenticated as a result of the request. The Authorization
> Server MUST NOT reply with an ID Token or Access Token for a
> different user, even if they have an active session with the
> Authorization Server. Such a request can be made either using
> an id_token_hint parameter or by requesting a specific Claim
> Value as described in Section 5.5.1, if the claims parameter is
> supported by the implementation.

Doesn't this mechanism suit your case?

If my understanding is correct, a client application can request
a specific subject (login ID) using "claims" request parameter
like below.

    {
     "id_token":
       {
         "sub": {"value": "REQUIRED-SUBJECT"}
       }
    }

If I'm wrong, please let me know, experts.

Takahiko Kawasaki

2014-09-23 7:34 GMT+09:00 Tim Bray <tbray at textuality.com>:
> Cleanest way would probably be new parameters “login_must_be” /
> ”id_token_must_be”, same semantics as login_hint but substitution forbidden.
>
> On Mon, Sep 22, 2014 at 3:26 PM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
>>
>> We have a use case in which we want to limit the login to the user
>> specified via the login_hint and not allow the user to sign in as a
>> different user.  How would you suggest expressing that requirement?  For
>> instance, should we invent a new request parameter such as “this_user=true”
>> (which could be used in combination with login_hint or id_token_hint)?  Or
>> might a “prompt” parameter value such as “prompt=this_user” be appropriate?
>> Or would that possibly conflict with other uses of “prompt”?
>>
>>
>>
>>                                                                 -- Mike
>>
>>
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
>
>
> --
> - Tim Bray (If you’d like to send me a private message, see
> https://keybase.io/timbray)
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>


More information about the Openid-specs-ab mailing list