1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Messages 2.1.1 - Text on id_token_hint needs to be clarified

Issue #722 resolved
Michael Jones created an issue

From: openid-specs-ab-bounces@lists.openid.net [mailto:openid-specs-ab-bounces@lists.openid.net] On Behalf Of Brian Campbell Sent: Friday, January 25, 2013 2:17 PM To: openid-specs-ab@lists.openid.net Subject: [Openid-specs-ab] Messages -15 RC: id_token_hint not clear

After reading the text about id_token_hint, I'm not at all sure what it means. The whole thing is confusing to me but the various language around encryption is particularly confusing. And what is the AS/OP supposed to actually do with this hint anyway?

spec text from near the bottom of this section http://openid.net/specs/openid-connect-messages-1_0-15.html#auth_req

id_token_hint OPTIONAL. ID Token passed to the Authorization server as a hint about the user's current or past authenticated session with the client. This SHOULD be present if prompt=none is sent. The value is a JWS [JWS] encoded ID token as signed by the issuer, the JWS [JWS] may be JWE [JWE] encrypted by the public key of the issuer for additional confidentiality. If the ID Token received by the RP was encrypted, the Client MUST decrypt the signed ID Token. The Client MAY re-encrypt using the key that the server is capable of decrypting. For a self-issued ID Token, the sub (subject) of the ID Token MUST be sent as the kid (Key ID) of the JWE.

Comments (5)

  2. Michael Jones reporter

    If the id_token is for a user that is logged in, then the server can send back a positive response. Otherwise, it should send back a negative response if the user doesn't have a valid session.

    We'll also try to clean up the encryption text.

  3. Brian Campbell

    explaining how this is the same or different from login_hint and including a sub with a value in the id_token member of the request object would be nice

  4. Brian Campbell

    also, seems like "This SHOULD be present if prompt=none" is too strong? Is prompt=none only useful in the case of a previously established connect session where the client sends back the id token?

  6. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Messages
Milestone
Implementer's Draft
Version
Votes
0
Watchers
0
Jira Software: the preferred issue tracker for Bitbucket. Join the team!