<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Axel,</p>
<p>I think it will very much depend on the application / deployment.
I don't know why the single hint requirement was chosen. Perhaps
to keep the OP logic and / or the spec simple. RP-initiated logout
allows two hints to be included in a request:</p>
<p><a class="moz-txt-link-freetext" href="https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout">https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout</a><br>
</p>
<p>Is prompt (=none) a CIBA request parameter? According to my
reading of the draft, it isn't. In addition to that, I'm not sure
how safe it is for an OP to accept prompt=none in a CIBA flow. Say
the OP issues the CD with a JWT after the first successful login,
and the CD then takes that JWT as a login_hint_token or
id_token_hint in a prompt=none CIBA request. Should the OP accept
the CIBA request without any user interaction? With a prompt=none
where the client is accessed via the user's the browser, there is
always some initiating user interaction that triggers the request.
If the client is on a different device and it sends a back-channel
prompt=none request, the user is left completely oblivious. If
that's intended, a refresh token seems like the honest approach.</p>
<p>
<blockquote type="cite"><span style="font-size:11.0pt"
lang="EN-US">let the user enter their login identifier</span></blockquote>
Is this supposed to happen at the CD?</p>
<p><br>
</p>
<pre class="moz-signature" cols="72">Vladimir</pre>
<div class="moz-cite-prefix">On 17/04/2024 14:56, Axel Nennker via
Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite"
cite="mid:BE1P281MB209782D5631193F0F581517FED0F2@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0cm;}ul
{margin-bottom:0cm;}</style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt" lang="DE">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="DE"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">CIBA
requires exactly ONE hint.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<ul style="margin-top:0cm" type="disc">
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l1 level1 lfo1">Because in
the CIBA flow, the OP does not have an interaction with the
end-user through the consumption device, it is REQUIRED that
the Client provides one (and only one) of the hints
specified above in the authentication request, that is
"login_hint_token", "id_token_hint" or "login_hint".<span
style="font-size:11.0pt" lang="EN-US"><o:p></o:p></span></li>
</ul>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">In
OIDC id_token_hint and login_hint are optional, but there is
no text on what the OP should do if there is more than one
hint, and what to do when the hints contradict each other.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">Options
for prompt not none:<o:p></o:p></span></p>
<ol style="margin-top:0cm" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:18.0pt;mso-list:l0 level1 lfo2"><span
style="font-size:11.0pt" lang="EN-US">Id_token_hint takes
precedent<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:18.0pt;mso-list:l0 level1 lfo2"><span
style="font-size:11.0pt" lang="EN-US">Id_token_hint sub
value and login_hint value are the same, than no problem<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:18.0pt;mso-list:l0 level1 lfo2"><span
style="font-size:11.0pt" lang="EN-US">Id_token_hint sub
value and login_hint value contradict each other, then
return invalid_request<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:18.0pt;mso-list:l0 level1 lfo2"><span
style="font-size:11.0pt" lang="EN-US">Id_token_hint sub
value and login_hint value contradict each other, then
ignore both hints and let the user enter their login
identifier<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:18.0pt;mso-list:l0 level1 lfo2"><span
style="font-size:11.0pt" lang="EN-US">If more than one
hint is in the request, than return invalid_request<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:18.0pt;mso-list:l0 level1 lfo2"><span
style="font-size:11.0pt" lang="EN-US">Write into the spec
that the OP's behavior is unspecified, like in the missing
-"openid"-scope case<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:18.0pt;mso-list:l0 level1 lfo2"><span
style="font-size:11.0pt" lang="EN-US">Some other claim in
id_token_hint and login_hint match, than no problem<o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:18.0pt;mso-list:l0 level1 lfo2"><span
style="font-size:11.0pt" lang="EN-US">Do not add
clarifying text to the spec<o:p></o:p></span></li>
</ol>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">Options
for prompt=none:<o:p></o:p></span></p>
<ol style="margin-top:0cm" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:18.0pt;mso-list:l2 level1 lfo3"><span
style="font-size:11.0pt" lang="EN-US">Basically the same
option, except 4)
<o:p></o:p></span></li>
</ol>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">In
general the spec encourages the OP to be helpful. And hints
are only hints.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">So,
I suggest adding:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">```<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">If
`prompt=none` and there are both an id_token_hint and a
login_hint parameter in the request, then the id_token_hint
takes precedent and the login_hint parameter SHOULD be
ignored. The authorization server MUST not try to use the
id_token followed by trying the login_hint or vice versa.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">If
there is no prompt parameter or its value is other then
`none` and there are both an id_token_hint and a login_hint
parameter in the request, then it is RECOMMENDED that the
authorization server uses the id_token_hint.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">```<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">What
do you think?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">Kind
regards<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">Axel<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="https://lists.openid.net/mailman/listinfo/openid-specs-ab">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
</body>
</html>