- edited description
Core- 2.1.2.2 Authentication Request Validation - bullet 4.
The bullet 4 currently states:
4 If the sub (subject) Claim is requested with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server.
While it is understandable, it also sounds as if the server has to have an established session when the user agent arrives at the server. This is not the case, and unless prompt=none is specified, the server can re-authenticate the user to the desired sub, and return the response.
Suggests:
4 If the sub (subject) Claim is requested with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User is authenticated as the user identified by that sub value either with an active session with the Authorization Server or by re-Authenticating the user.
Comments (3)
-
reporter -
-
assigned issue to
We will do this with "authenticating" rather than "re-authenticating".
-
assigned issue to
-
- changed status to resolved
Fixed
#906- Clarified when positive responses can be made when authentication of a specific user is requested.→ <<cset ce006016a20a>>
- Log in to comment