<div dir="ltr"><div>I created <a href="https://bitbucket.org/openid/connect/issue/968">https://bitbucket.org/openid/connect/issue/968</a> so as not to lose track of this.<br><br></div>I'd think it should probably be a MUST. But the spec should at least be consistent with itself. <br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 7, 2015 at 10:38 AM, George Fletcher <span dir="ltr"><<a href="mailto:gffletch@aol.com" target="_blank">gffletch@aol.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<font face="Helvetica, Arial, sans-serif">Aren't there two possible
cases?<br>
<br>
1. The RP wants the AS to authenticate the current user. The RP
passes a id_token_hint using the last id_token it has for that
cookied browser. However, the RP doesn't really care who is
logging in, it's just trying to be helpful because in most cases
it really is the same user. In this kind of a scenario, the SHOULD
makes sense, as the RP is fine if the AS sends back a different
user than the id_token_hint.<br>
<br>
2. The RP wants the AS to authenticate ONLY the user identified by
the id_token_hint. In this case the AS MUST return an error if the
user's are different.<br>
<br>
I'm fine moving all responses to MUST and making use case #1 just
incur a few more redirects before the user gets logged in.<br>
<br>
Thanks,<br>
George<br>
</font><div><div class="h5"><br>
<div>On 4/7/15 11:25 AM, John Bradley wrote:<br>
</div>
<blockquote type="cite">
Well it MUST be consistent.
<div><br>
</div>
<div>I think it was MUST in both places then there was a
discussion that it is the responsibility of the client to check
the sub in the returned id_token, so it may be better in some
cases to have the IdP respond with a positive response for a
diffrent sub rather than an error. </div>
<div><br>
</div>
<div>Saying both would be the worst of both worlds.</div>
<div><br>
</div>
<div>If we are certain that RP really validate the sub in
prompt=none cases then SHOULD is fine. If clients are sloppy
with that then having it a MUST is better as it will stop
clients from mistakenly thinking that a positive response is fro
the same user.</div>
<div><br>
</div>
<div>I think I was the one arguing for MUST at the time,
but I tend to be conservative.</div>
<div><br>
</div>
<div>We must have missed the other reference when it was
changed to SHOULD.</div>
<div><br>
</div>
<div>John B.</div>
<div>
<div>
<blockquote type="cite">
<div>On Apr 7, 2015, at 8:10 AM, Brian Campbell
<<a href="mailto:bcampbell@pingidentity.com" target="_blank">bcampbell@pingidentity.com</a>>
wrote:</div>
<br>
<div>
<div dir="ltr">
<dl>
<dt>Core has two mentions of id_token_hint
(not counting self issued and IANA registration),
which are quoted below. It seems that one says that
an error SHOULD be returned if the end-user
identified by the id_token_hint isn't the current
user while the other says an error MUST be returned.</dt>
</dl>
<p>Is this an oversight that should maybe be
fixed in errata v.next? <br>
</p>
<p>Or is there something more subtle or
intentional here?<br>
</p>
<dl>
<dt><br>
</dt>
<dt><a href="http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest</a></dt>
<dd><br>
</dd>
<dt> id_token_hint</dt>
<dd> OPTIONAL. ID Token previously issued by
the Authorization Server being passed as a hint
about the End-User's current or past authenticated
session with the Client.
<b> If the End-User identified by the ID
Token is logged in or is logged in by the request,
then the Authorization Server returns a positive
response; otherwise, it SHOULD return an error,
such as <tt>login_required</tt>.</b>
When possible, an <tt>id_token_hint</tt>
SHOULD be present when <tt>prompt=none</tt>
is used and an <tt>invalid_request</tt>
error MAY be returned if it is not; however, the
server SHOULD respond successfully when possible,
even if it is not present. The Authorization Server
need not be listed as an audience of the ID Token
when it is used as an <tt>id_token_hint</tt>
value. </dd>
</dl>
<p><br>
</p>
<p><a href="http://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation</a></p>
<p style="margin-left:40px">If the <tt>sub</tt> (subject) Claim is requested with
a specific value for the ID Token, the <b>Authorization
Server MUST only send a positive response if the
End-User identified by that <tt>sub</tt>
value has an active session with the Authorization
Server or has been Authenticated as a result of the
request. The Authorization Server MUST NOT reply
with an ID Token or Access Token for a different
user,</b> even if they have an active session with
the Authorization Server. Such a request can be made
either using an <tt>id_token_hint</tt>
parameter or by requesting a specific Claim Value as
described in <a href="http://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests" target="_blank">Section 5.5.1</a>,
if the <tt>claims</tt> parameter is
supported by the implementation. </p>
<p><br>
</p>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Openid-specs-ab mailing list
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</div></div><span class="HOEnZb"><font color="#888888"><div>-- <br>
<a href="http://connect.me/gffletch" title="View full card on
Connect.Me" target="_blank"><img src="cid:part6.05040102.08080909@aol.com" alt="George Fletcher" height="113" width="359"></a></div>
</font></span></div>
</blockquote></div><br></div>