<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">I think we have two
different use cases (at least what I heard on the call).<br>
<br>
1. The initiator of the request only knows the login_hint value
and therefore the URL only contains the login_hint parameter. In
this case the OAuth2 client (receiver of the URL) must determine
the identity provider via some mechanism and then invoke that
identity provider also passing along the login_hint value
un-normalized.<br>
<br>
2. The initiator of the request only knows (or only want to
specify) the issuer. In this case the OAuth2 client (receiver of
the URL) must direct the user to the specified identity provider.
In some cases its possible that the client will be required to
perform dynamic registration of itself to the specified identity
provider before continuing the login flow.<br>
<br>
It's mandatory for the OAuth2 client to support both use cases.<br>
<br>
As for the 'target_link_uri' it's pretty undefined as to what
'MUST verify' means. Maybe that's intentional, but as an
implementer it's pretty unclear.<br>
<br>
Overall, this "3rd party initiated" flow seems underspecified.
Like we are leaving out processing rules and other things. Is it
critical to have this support in the native spec as opposed to
profile or secondary doc? Is support for this whole concept
mandatory to implement for Relying Parties?<br>
<br>
Thanks,<br>
George<br>
<br>
</font>
<div class="moz-cite-prefix">On 6/20/13 11:19 AM, John Bradley
wrote:<br>
</div>
<blockquote
cite="mid:76721489-1059-4E98-A018-EA4A0ABAE981@ve7jtb.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
I think Mike argued that iss be REQUIRED to avoid the client doing
discovery.
<div><br>
</div>
<div>Perhaps for login_hint <span style="font-family: verdana,
charcoal, helvetica, arial, sans-serif; ">OPTIONAL. A string
that the client MUST send as login_hint parameter value of the
authorization request if present.</span>
<div><br>
</div>
<div>
<div>On 2013-06-20, at 11:11 AM, Nat Sakimura <<a
moz-do-not-send="true" href="mailto:sakimura@gmail.com">sakimura@gmail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div dir="ltr"><dt style="font-family: verdana, charcoal,
helvetica, arial, sans-serif; ">What about this? </dt>
<dt style="font-family: verdana, charcoal, helvetica,
arial, sans-serif; "><br>
</dt>
<dt style="font-family: verdana, charcoal, helvetica,
arial, sans-serif; ">
login_hint</dt>
<dd style="font-family: verdana, charcoal, helvetica,
arial, sans-serif; ">OPTIONAL. A string that the client
MUST send as login_hint parameter value of the
authorization request.</dd>
<dt style="font-family: verdana, charcoal, helvetica,
arial, sans-serif; ">
iss</dt>
<dd style="font-family: verdana, charcoal, helvetica,
arial, sans-serif; ">OPTIONAL. Issuer Identifier for the
Issuer that the Client is to send the authentication
request to. Its value MUST be a URL using the <tt
style="color:rgb(0,51,102);font-family:'Courier
New',Courier,monospace">https </tt>scheme.</dd>
<dt style="font-family: verdana, charcoal, helvetica,
arial, sans-serif; ">target_link_uri</dt>
<dd style="font-family: verdana, charcoal, helvetica,
arial, sans-serif; ">OPTIONAL. URI of the target
resource. After receiving a positive authorization
response, the Client SHOULD redirect the user-agent to
this URI. Clients MUST verify the value of the <tt
style="color:rgb(0,51,102);font-family:'Courier
New',Courier,monospace">target_link_uri</tt> to
prevent it being used as an open redirector to external
sites.</dd>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2013/6/20 Brian Campbell <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:bcampbell@pingidentity.com"
target="_blank">bcampbell@pingidentity.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<dl>
<dt>The text says login_hint is required but
then ends the description with "(if
necessary)" which reads kind of awkwardly (to
me anyway).</dt>
<dt><br>
</dt>
<dt>Also it says it's a "hint to the
Authorization Server" but this section is
defining a client endpoint. Shouldn't it say
what the client is supposed to do with it? I
presume it should just pass it along verbatim
to the AS using the parameter of the same
name. But the text here should probably say as
much, no? </dt>
</dl>
<p>And why is login_hint required? It seems quite
possible that the AS or other party (a static
HTML page of links, for example) wouldn't know
enough to populate that field at the point of
sending a Login Initiation Request. </p>
</div>
<div>from <a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-standard-1_0-21.html#client_Initiate_login"
target="_blank">http://openid.net/specs/openid-connect-standard-1_0-21.html#client_Initiate_login</a>
<dl>
<dt>"login_hint</dt>
<dd>REQUIRED. Hint to the Authorization Server
about the login identifier the End-User might
use to log in (if necessary)."</dd>
</dl>
<br>
</div>
<div><br>
<br>
</div>
</div>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Nat Sakimura (=nat)
<div>Chairman, OpenID Foundation<br>
<a moz-do-not-send="true"
href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<a href="http://connect.me/gffletch" title="View full card on
Connect.Me"><img src="cid:part8.04040707.02010604@aol.com"
alt="George Fletcher" height="113" width="359"></a></div>
</body>
</html>