Abstract of the Initiating User Registration specification
Abstract of for the Initiating User Registration specification (draft 05) tells us that
An extension to the OpenID Connect Authentication Framework defining a new value for the
prompt
parameter that instructs the OpenID Provider to start the user flow with user registration and after the user account has been created return an authorization code to the client to complete the authentication flow.
The Implicit Flow according to the OpenID Connect Core specification doesn’t include a step with the authorization code, or in other words, doesn’t rely on it (this flow returns an ID Token or an ID Token + an AT).
I suggest omitting or changing the text in a way to reflect that.
Comments (7)
-
reporter -
- changed status to open
We discussed this during the 26-Sep-22 working group call. We agree with Andrii that the wording should not presume that a flow using an authorization code will be used. That, or if this is only intended to be used with certain flows, then that should be clearly stated in the specification.
-
-
assigned issue to
-
assigned issue to
-
I’m sorry I wasn’t able to attend the call. Thanks for the feedback. I’ll update the text.
-
How does this text work as an update?
An extension to the OpenID Connect Authentication Framework defining a new value for the prompt parameter that instructs the OpenID Provider to start the user flow with user registration and after the user account has been created return the requested tokens to the client to complete the authentication flow.
-
Please see PR 309
-
- changed status to resolved
- Log in to comment
As one of the implementers, I would like to add that user registration flow should be considered as completed only after a client gets an ID Token or an ID Token + an AT. Otherwise, there is too much room to abuse an OP in the way I see it.