-
assigned issue to
- changed status to open
Messages - 2.1.2 Authorization Request - id_token error condition needed
Issue #610
wontfix
In 2.1.2, it is defined as:
id_token OPTIONAL. An ID Token passed to the Authorization server as a hint about the user's current or past authenticated session with the client. This SHOULD be present if prompt=none is sent.
We need to specify the behavior of the IdP for each prompt type.
- Case 1: the user specified via id_token and the only user at the IdP matches
- Case 2: the user specified via id_token is one of the current user at the IdP.
- Case 3: the user specified via id_token and the user at the IdP does not match
- Case 4: when there is no user at the IdP
Examples
- E1: prompt=none + Case 2 => the user specified via id_token MUST be returned.
- E2: prompt=login + Case 4 => Only the user specified in id_token is allowed for the successful authentication.
- E3: prompt=login + Case 3 => Same as E2
etc.
Comments (3)
-
-
reporter On the hind sight, the error response is adequately written. It could be clearer but will become longer, and I think the current one is the right balance.
-
reporter - changed status to wontfix
- Log in to comment
Nat will try to come up with a more concrete proposal