<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="Helvetica, Arial, sans-serif">I'm not sure this makes
sense. The OpenID Connect spec says...<br>
</font><font face="Helvetica, Arial, sans-serif"><br>
<dt style="color: rgb(0, 0, 0); font-family: verdana, charcoal,
helvetica, arial, sans-serif; font-size: small; font-style:
normal; font-variant-ligatures: normal; font-variant-caps:
normal; font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); text-decoration-style: initial; text-decoration-color:
initial;">login</dt>
<dd style="color: rgb(0, 0, 0); font-family: verdana, charcoal,
helvetica, arial, sans-serif; font-size: small; font-style:
normal; font-variant-ligatures: normal; font-variant-caps:
normal; font-weight: 400; letter-spacing: normal; orphans: 2;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(255, 255,
255); text-decoration-style: initial; text-decoration-color:
initial;">The Authorization Server SHOULD prompt the End-User
for reauthentication. If it cannot reauthenticate the End-User,
it MUST return an error, typically<span> </span><tt
style="color: rgb(0, 51, 102); font-family: "Courier
New", Courier, monospace; font-size: small;">login_required</tt>.</dd>
<br>
</font><br>
In this particular case, since the desire is for the user to create
a new account, the user may not need to login.<br>
<br>
That said, I'm updating the spec to make 'prompt=create' more of a
hint to the OP rather than a requirement of what the OP MUST do.<br>
<br>
Thanks,<br>
George<br>
<br>
P.S. New version to be posted shortly :)<br>
<br>
<div class="moz-cite-prefix">On 1/31/19 9:33 PM, nov matake via
Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BF329DB5-61F0-4DEC-B265-48DE66CC670D@matake.jp">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="">Hi George,</div>
<div class=""><br class="">
</div>
�Even when RP requests "prompt=create", IdP can allow logging into
existing account on its signup page.
<div class="">eg.,) <a href="https://login.aol.com/account/create"
class="" moz-do-not-send="true">https://login.aol.com/account/create</a></div>
<div class=""><br class="">
<div class="">So that, allowing "prompt=create login” seems
meaningful to me.</div>
<div class=""><br class="">
</div>
<div class="">nov<br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Feb 1, 2019, at 9:40, Brock Allen via
Openid-specs-ab <<a
href="mailto:openid-specs-ab@lists.openid.net"
class="" moz-do-not-send="true">openid-specs-ab@lists.openid.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div id="__MailbirdStyleContent" style="font-size: 10pt;
font-family: "Lucida Console";" class=""> Do
you have a concrete example of how a client would know
to send prompt=create?
<div class=""><br class="">
</div>
<div class="">I ask because my first reaction is that
given the client doesn't authenticate the user, it
has no idea if the user has an account or not, so
how/why would it know to send this value? </div>
<div class=""><br class="">
</div>
<div class="">Or are you simply imaging the scenario
where the client shows a "login" or "register" link,
rather than getting the OP to do that?<br class="">
<div class=""><br class="">
</div>
<div class="mb_sig"><span style="font-family: Lucida
Console" class="">-Brock</span>
<div class=""><br class="">
</div>
</div>
<blockquote class="history_container" type="cite"
style="border-left-style:solid;border-width:1px;
margin-top:20px;
margin-left:0px;padding-left:10px;">
<p style="color: #AAAAAA; margin-top: 10px;"
class="">On 1/31/2019 3:46:26 PM, George
Fletcher via Openid-specs-ab <<a
href="mailto:openid-specs-ab@lists.openid.net"
class="" moz-do-not-send="true">openid-specs-ab@lists.openid.net</a>>
wrote:</p>
<div
style="font-family:Arial,Helvetica,sans-serif"
class=""> <span style="font-family: Helvetica,
Arial, sans-serif" class="">Thanks so much for
the quick feedback William! Comments inline...</span><br
class="">
<br class="">
<div class="moz-cite-prefix">On 1/31/19 12:45
PM, William Denniss wrote:<br class="">
</div>
<blockquote type="cite"
cite="mid:CAAP42hDoV3e7KQ17HCqq80chDCzZQ0X9BrCztsGZWcEb85SNNA@mail.gmail.com"
class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div class="">Hi George,</div>
<div class=""><br class="">
</div>
<div class="">Some quick review thoughts:</div>
<div class=""><br class="">
</div>
<div class="">Section 4 Why is there a
prohibition on combining "create" with
other prompt values? What if a future
prompt value was added that was
compatible with "create"?</div>
</div>
</div>
</blockquote>
My thinking (though I'm open to options) is that
there are many values that can be mutually
exclusive. For example, what does prompt="create
consent" mean? I'm happy to reduce this to
SHOULD to allow for future possibilities. Or
change the wording to explain that other prompt
values that conflict with "create" should not be
used.<br class="">
<blockquote type="cite"
cite="mid:CAAP42hDoV3e7KQ17HCqq80chDCzZQ0X9BrCztsGZWcEb85SNNA@mail.gmail.com"
class="">
<div dir="ltr" class="">
<div dir="ltr" class=""><br
class="gmail-Apple-interchange-newline">
<div class="">Section 4.1, "the account
creation experience" isn't defined by
any OpenID spec, so requiring it with a
MUST could be problematic. Also, most
guidance on the UI shown by the OP is
generally in the form of recommendations
not normative requirements (e.g. around
scope consent screens).</div>
</div>
</div>
</blockquote>
OK, I'm fine changing this to a SHOULD if that
makes things more acceptable :)<br class="">
<blockquote type="cite"
cite="mid:CAAP42hDoV3e7KQ17HCqq80chDCzZQ0X9BrCztsGZWcEb85SNNA@mail.gmail.com"
class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div class=""><br class="">
</div>
<div class="">As background, how would you
expect this to be shown on the client?
Two different buttons, one to connect an
existing account, one to create a new
account? Might be worth a non-normative
discussion in the doc about how the
clients might use this.</div>
</div>
</div>
</blockquote>
More or less, yes:) There are some use cases
where the client may want to allow the user to
choose between the options (sign-up vs sign-in)
before starting the authentication flow. I don't
think it precludes the OP from having to know
that a client started an authenticate flow, the
user chose the sign-up link/button and then at
the end of registration the OP needs to redirect
back to the client with a code. However, it does
allow the client to optimize the experience.<br
class="">
<br class="">
Thanks again,<br class="">
George<br class="">
<blockquote type="cite"
cite="mid:CAAP42hDoV3e7KQ17HCqq80chDCzZQ0X9BrCztsGZWcEb85SNNA@mail.gmail.com"
class="">
<div dir="ltr" class="">
<div dir="ltr" class="">
<div class=""><br class="">
</div>
<div class="">William</div>
<div dir="ltr" class=""><br class="">
</div>
</div>
</div>
<br class="">
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu,
Jan 31, 2019 at 9:19 AM George Fletcher
via Openid-specs-ab <<a
href="mailto:openid-specs-ab@lists.openid.net"
moz-do-not-send="true" class="">openid-specs-ab@lists.openid.net</a>>
wrote:<br class="">
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">I've
attached both the XML and Text versions of
a very small spec that <br class="">
defines a new parameter value for the
'prompt' parameter that allows the <br
class="">
client to request the user go directly to
the account creation flow and <br
class="">
when the user has successfully created the
account, return a 'code' to <br class="">
the client. This improves the user
experience by allowing the client to <br
class="">
direct the user directly to the account
creation page.<br class="">
<br class="">
Feedback greatly appreciated!<br class="">
<br class="">
Thanks,<br class="">
George<br class="">
<br class="">
<br class="">
_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank" moz-do-not-send="true"
class="">Openid-specs-ab@lists.openid.net</a><br
class="">
<a
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
rel="noreferrer" target="_blank"
moz-do-not-send="true" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br
class="">
</blockquote>
</div>
</blockquote>
_______________________________________________<br
class="">
</div>
</blockquote>
</div>
</div>
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net"
class="" moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a><br
class="">
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>