<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<meta name="Generator" content="Microsoft Word 14 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman","serif";}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

tt

        {mso-style-priority:99;

        font-family:"Courier New";}

span.EmailStyle18

        {mso-style-type:personal-reply;

        font-family:"Calibri","sans-serif";

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-family:"Calibri","sans-serif";}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’ve created

<a href="http://hg.openid.net/connect/issue/722/messages-211-text-on-id_token_hint-needs">

http://hg.openid.net/connect/issue/722/messages-211-text-on-id_token_hint-needs</a> to track this issue.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">                                                                -- Mike<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> openid-specs-ab-bounces@lists.openid.net [mailto:openid-specs-ab-bounces@lists.openid.net]

<b>On Behalf Of </b>Brian Campbell<br>

<b>Sent:</b> Friday, January 25, 2013 2:17 PM<br>

<b>To:</b> <openid-specs-ab@lists.openid.net><br>

<b>Subject:</b> [Openid-specs-ab] Messages -15 RC: id_token_hint not clear<o:p></o:p></span></p>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<p class="MsoNormal">After reading the text about id_token_hint, I'm not at all sure what it means. The whole thing is confusing to me but the various language around encryption is particularly confusing. And what is the AS/OP supposed to actually do with this

 hint anyway?<o:p></o:p></p>

<div>

<p class="MsoNormal"><br>

<br>

spec text from near the bottom of this section <a href="http://openid.net/specs/openid-connect-messages-1_0-15.html#auth_req">

http://openid.net/specs/openid-connect-messages-1_0-15.html#auth_req</a> <o:p></o:p></p>

<p class="MsoNormal">id_token_hint<o:p></o:p></p>

<p class="MsoNormal" style="margin-left:.5in">OPTIONAL. <a href="http://openid.net/specs/openid-connect-messages-1_0-15.html#id_token">

ID Token</a> passed to the Authorization server as a hint about the user's current or past authenticated session with the client. This SHOULD be present if

<tt><span style="font-size:10.0pt">prompt=none</span></tt> is sent. The value is a

<a href="http://openid.net/specs/openid-connect-messages-1_0-15.html#JWS">JWS</a> [JWS] encoded ID token as signed by the issuer, the

<a href="http://openid.net/specs/openid-connect-messages-1_0-15.html#JWS">JWS</a> [JWS] may be

<a href="http://openid.net/specs/openid-connect-messages-1_0-15.html#JWE">JWE</a> [JWE] encrypted by the public key of the issuer for additional confidentiality. If the ID Token received by the RP was encrypted, the Client MUST decrypt the signed ID Token.

 The Client MAY re-encrypt using the key that the server is capable of decrypting. For a self-issued ID Token, the

<tt><span style="font-size:10.0pt">sub</span></tt> (subject) of the ID Token MUST be sent as the

<tt><span style="font-size:10.0pt">kid</span></tt> (Key ID) of the JWE. <o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

</div>

</div>

</body>

</html>