<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Yes.<div><br><div><div>On Mar 3, 2014, at 7:23 PM, George Fletcher <<a href="mailto:gffletch@aol.com">gffletch@aol.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">Two things...<br>
<br>
1. Relying parties must assume that the returned user could be
different than the "current" user and deal with the scenario (i.e.
late-time binding). There were some exploits with OpenID2 because
RPs did not implement late-time bindings.<br>
<br>
2. If a id_token_hint is specified, then a "switch-user" is NOT
allowed. This is described in the text for the id_token_hint.<br>
<br>
So, I think it would be ok to perform a "switch-user" if a
specific user is NOT identified in the request. The RPs MUST
handle this case regardless.<br>
<br>
Thanks,<br>
George<br>
<br>
</font>
<div class="moz-cite-prefix">On 3/3/14 1:59 PM, Todd W Lainhart
wrote:<br>
</div>
<blockquote cite="mid:OF4D252042.DA1ED72E-ON85257C90.0067B822-85257C90.0068518D@us.ibm.com" type="cite"><a moz-do-not-send="true" href="http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest"><font face="sans-serif" size="2">http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest</font></a>
<br>
<br>
<font face="sans-serif" size="2">A question came up here regarding
whether
it is legal/expected to "switch-user" on the OP when
prompt=login
is given, and change the session. The text says this:</font>
<br>
<br>
<font face="Verdana" size="2">login</font>
<br>
<font face="Verdana" size="2">The Authorization Server SHOULD
prompt
the End-User for reauthentication. If it cannot reauthenticate
the End-User,
it MUST return an error, typically</font><font color="#002060" face="Courier New" size="2">login_required</font><font face="Verdana" size="2">.</font>
<br>
<br>
<br>
<font face="sans-serif" size="2">Some interpret "reauthentication"
as validating the logged-in user with a request for a resubmit
of their
credentials - others interpret "reauthentication" as the ability
to do an "su". Can someone clarify the intent?<br>
</font>
<br>
<table style="border-collapse:collapse;" width="223">
<tbody>
<tr height="8">
<td style="border-style:solid;border-color:#000000;border-width:0px
0px 0px 0px;padding:0px 0px;" bgcolor="white" width="223"><font face="Verdana" size="1"><b><br>
<br>
<br>
Todd Lainhart<br>
Rational software<br>
IBM Corporation<br>
550 King Street, Littleton, MA 01460-1250</b></font><font face="Arial" size="1"><b><br>
1-978-899-4705<br>
2-276-4705 (T/L)<br>
<a class="moz-txt-link-abbreviated" href="mailto:lainhart@us.ibm.com">lainhart@us.ibm.com</a></b></font></td>
</tr>
</tbody>
</table>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<a href="http://connect.me/gffletch" title="View full card on
Connect.Me"><span><XeC.png></span></a></div>
</div>
_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-specs-ab<br></blockquote></div><br></div></body></html>