- changed component to Core
- marked as enhancement
- marked as minor
Core Section 3 - id_token parameter for login initiation endpoint
Issue #904
resolved
For Core Section 3 I would like to add the following optional parameter to the login initiation endpoint.
id_token OPTIONAL. If the initiator is the iss then it may include an initial id_token. The value of exp SHOULD be set to a small value in the range of 5 minutes. The id_token must contain a valid aud restricting it to the client receiving it. If the client receives a value for this string-valued parameter, it MUST include it in the subsequent authorization request as the id_token_hint parameter value.
I have been getting push back from people looking to convert from SAML that Connect forces many more round trips than SAML for doing IdP initiated login.
Sending an initial short lived id_token lets the client do the quick customization of the UI that the id_token was intended to enable while allowing the client to get access tokens and a new id_token in the background using prompt=none.
This also reduces the eventual pressure to add more parameters to the endpoint as the AS can tack on additional claims it needs to maintain state.
I think we did have the id_token as a parameter at wine point then changed it to the login_hint when that was added to make it more general.
I know this is a late addition request.
Comments (5)
-
reporter
-
- changed milestone to Final
-
assigned issue to
Michael Jones
We will handle this as per the 2-Dec-13 call: Adding support for HTML form post but not adding the new parameter for now. It can be added later in an extension, after sufficient security analysis.
-
- changed title to Core Section 3 - id_token parameter for login initiation endpoint
-
The resolution to this issue is to allow third party login request parameters to be sent via HTML form post.
-
- changed status to resolved
Fixed
#904- Allowed third party login request parameters to be sent via HTML form post.→ <<cset ce2ca171efd1>>
- Log in to comment
