Core- 2.1.2.2 Authentication Request Validation - bullet 4.

Issue #906 resolved
Nat Sakimura
created an issue

The bullet 4 currently states:

4 If the sub (subject) Claim is requested with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server.

While it is understandable, it also sounds as if the server has to have an established session when the user agent arrives at the server. This is not the case, and unless prompt=none is specified, the server can re-authenticate the user to the desired sub, and return the response.

Suggests:

4 If the sub (subject) Claim is requested with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User is authenticated as the user identified by that sub value either with an active session with the Authorization Server or by re-Authenticating the user.

Comments (3)

  1. Log in to comment