how to react if login_hint AND login_hint_token are provided?
Issue #31
resolved
No description provided.
Comments (7)
-
reporter -
reporter - changed status to open
-
reporter We should either add a comment to section 3 login_hint_token parameter or to section 6 explaining the precedence of login_hint_token over login_hint if both are present. e.g.: "If both login_hint_token an login_hint are present in the authentication request login_hint is ignored."
-
reporter Alternatively an invalid request error could be thrown.
-
reporter According to meeting on July 12th 2017: I will amend the authentication spec with a passage that there must be an invalid request error if login_hint and login_hint_token are both present in the request.
-
reporter I added a paragraph to the definition of login_hint_token in section 3 of openid-connect-modrna-authentication-1_0.xml
to specify behaviour if more than one hint parameter is present.
login_hint_token OPTIONAL. This is a new parameter. The login_hint_token is used to transport a user identifier from the Discovery Service to the OpenID Provider without revealing this identifier to the client. Section 6 specifies the structure of this parameter. Protection of the login_hint_token's content is specified in Section 6.1. Only one of "login_hint_token", "id_token_hint" or "login_hint" is allowed. If more than one of those parameters are present in the authentication request the server MUST return an "invalid_request" error.
-
reporter - changed status to resolved
- Log in to comment
If both are present the login_hint_token takes precedence. In this case login_hint is ignored.