<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="Helvetica, Arial, sans-serif">I thought about a
different parameter, but I'm not crazy about adding parameters if
we don't need to. I'm open to feedback here though:)<br>
<br>
I'm not sure it's always the case that using an existing session
is better than creating a new one. For example, a use case where
multiple people use the same device. In that context, if the user
says they want to create a new identity, and a session exists for
a different person, using that existing session silently is not
good.<br>
<br>
Thanks,<br>
George<br>
</font><br>
<div class="moz-cite-prefix">On 2/1/19 12:02 PM, Filip Skokan wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1052D6E5-7F31-4EFE-8E84-E81581D201A8@gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Hello George,
<div><br>
</div>
<div>i’m torn about using a prompt parameter for this. An OP may
already have a session established and this would prevent it
being used. A common authz pipeline will halt the request
processing when prompt parameter is encountered. </div>
<div><br>
</div>
<div>In the past we’ve dealt with this using a custom parameter
when_anonymous=login/register (pick one, default to OP policy).</div>
<div><br>
</div>
<div>This would tell the OP the client’s preference in the initial
view <b>only in case there’s no session</b>, since having a
session and hitting just the consent screen is preferred over
both login and registration. </div>
<div><br>
</div>
<div>Best,</div>
<div>Filip</div>
<div><br>
<div id="AppleMailSignature" dir="ltr">Odesláno z iPhonu</div>
<div dir="ltr"><br>
1. 2. 2019 v 16:54, George Fletcher via Openid-specs-ab <<a
href="mailto:openid-specs-ab@lists.openid.net"
moz-do-not-send="true">openid-specs-ab@lists.openid.net</a>>:<br>
<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<font face="Helvetica, Arial, sans-serif">So we've run into
situation in our mobile apps where the app allows the user
to choose "sign up" and we want to skip the login form
completely. This allows the app (if it chooses) to present
a native button for sign up rather than just sending the
user to the OP login form and having the user "hunt" for
the signup link to click it.<br>
<br>
Just as an example, on first launch of an app that may
require authentication, having the app show a native UI
that allows the user to choose (login with existing
identity or create a new one) can be helpful to the user.<br>
<br>
Thanks,<br>
George<br>
</font><br>
<div class="moz-cite-prefix">On 1/31/19 7:40 PM, Brock Allen
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:d3612992-9d1d-494e-8c2f-08fa93e6524c@getmailbird.com">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div id="__MailbirdStyleContent" style="font-size:
10pt;font-family: Lucida Console;color: #000000"> Do you
have a concrete example of how a client would know to
send prompt=create?
<div><br>
</div>
<div>I ask because my first reaction is that given the
client doesn't authenticate the user, it has no idea
if the user has an account or not, so how/why would it
know to send this value? </div>
<div><br>
</div>
<div>Or are you simply imaging the scenario where the
client shows a "login" or "register" link, rather than
getting the OP to do that?<br>
<div><br>
</div>
<div class="mb_sig"><span style="font-family: Lucida
Console">-Brock</span>
<div><br>
</div>
</div>
<blockquote class="history_container" type="cite"
style="border-left-style:solid;border-width:1px;
margin-top:20px; margin-left:0px;padding-left:10px;">
<p style="color: #AAAAAA; margin-top: 10px;">On
1/31/2019 3:46:26 PM, George Fletcher via
Openid-specs-ab <a class="moz-txt-link-rfc2396E"
href="mailto:openid-specs-ab@lists.openid.net"
moz-do-not-send="true"><openid-specs-ab@lists.openid.net></a>
wrote:</p>
<div style="font-family:Arial,Helvetica,sans-serif">
<span style="font-family: Helvetica, Arial,
sans-serif">Thanks so much for the quick
feedback William! Comments inline...</span><br>
<br>
<div class="moz-cite-prefix">On 1/31/19 12:45 PM,
William Denniss wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAAP42hDoV3e7KQ17HCqq80chDCzZQ0X9BrCztsGZWcEb85SNNA@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">
<div>Hi George,</div>
<div><br>
</div>
<div>Some quick review thoughts:</div>
<div><br>
</div>
<div>Section 4 Why is there a prohibition on
combining "create" with other prompt
values? What if a future prompt value was
added that was compatible with "create"?</div>
</div>
</div>
</blockquote>
My thinking (though I'm open to options) is that
there are many values that can be mutually
exclusive. For example, what does prompt="create
consent" mean? I'm happy to reduce this to SHOULD
to allow for future possibilities. Or change the
wording to explain that other prompt values that
conflict with "create" should not be used.<br>
<blockquote type="cite"
cite="mid:CAAP42hDoV3e7KQ17HCqq80chDCzZQ0X9BrCztsGZWcEb85SNNA@mail.gmail.com">
<div dir="ltr">
<div dir="ltr"><br
class="gmail-Apple-interchange-newline">
<div>Section 4.1, "the account creation
experience" isn't defined by any OpenID
spec, so requiring it with a MUST could be
problematic. Also, most guidance on the UI
shown by the OP is generally in the form
of recommendations not normative
requirements (e.g. around scope consent
screens).</div>
</div>
</div>
</blockquote>
OK, I'm fine changing this to a SHOULD if that
makes things more acceptable :)<br>
<blockquote type="cite"
cite="mid:CAAP42hDoV3e7KQ17HCqq80chDCzZQ0X9BrCztsGZWcEb85SNNA@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">
<div><br>
</div>
<div>As background, how would you expect
this to be shown on the client? Two
different buttons, one to connect an
existing account, one to create a new
account? Might be worth a non-normative
discussion in the doc about how the
clients might use this.</div>
</div>
</div>
</blockquote>
More or less, yes:) There are some use cases where
the client may want to allow the user to choose
between the options (sign-up vs sign-in) before
starting the authentication flow. I don't think it
precludes the OP from having to know that a client
started an authenticate flow, the user chose the
sign-up link/button and then at the end of
registration the OP needs to redirect back to the
client with a code. However, it does allow the
client to optimize the experience.<br>
<br>
Thanks again,<br>
George<br>
<blockquote type="cite"
cite="mid:CAAP42hDoV3e7KQ17HCqq80chDCzZQ0X9BrCztsGZWcEb85SNNA@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">
<div><br>
</div>
<div>William</div>
<div dir="ltr"><br>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Jan
31, 2019 at 9:19 AM George Fletcher via
Openid-specs-ab <<a
href="mailto:openid-specs-ab@lists.openid.net"
moz-do-not-send="true">openid-specs-ab@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">I've
attached both the XML and Text versions of a
very small spec that <br>
defines a new parameter value for the
'prompt' parameter that allows the <br>
client to request the user go directly to
the account creation flow and <br>
when the user has successfully created the
account, return a 'code' to <br>
the client. This improves the user
experience by allowing the client to <br>
direct the user directly to the account
creation page.<br>
<br>
Feedback greatly appreciated!<br>
<br>
Thanks,<br>
George<br>
<br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank" moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a><br>
<a
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote>
<blockquote type="cite">
<div dir="ltr"><span>_______________________________________________</span><br>
<span>Openid-specs-ab mailing list</span><br>
<span><a href="mailto:Openid-specs-ab@lists.openid.net"
moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a></span><br>
<span><a
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
moz-do-not-send="true">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br>
</div>
</blockquote>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Identity Standards Architect
Verizon Media Work: <a class="moz-txt-link-abbreviated" href="mailto:george.fletcher@oath.com">george.fletcher@oath.com</a>
Mobile: +1-703-462-3494 Twitter: <a class="moz-txt-link-freetext" href="http://twitter.com/gffletch">http://twitter.com/gffletch</a>
Office: +1-703-265-2544 Photos: <a class="moz-txt-link-freetext" href="http://georgefletcher.photography">http://georgefletcher.photography</a>
</pre>
</body>
</html>