how to react if login_hint AND login_hint_token are provided?

Issue #31 resolved
Jörg Connotte created an issue

No description provided.

Comments (7)

  1. Jörg Connotte reporter

    If both are present the login_hint_token takes precedence. In this case login_hint is ignored.

  2. Jörg Connotte reporter

    We should either add a comment to section 3 login_hint_token parameter or to section 6 explaining the precedence of login_hint_token over login_hint if both are present. e.g.: "If both login_hint_token an login_hint are present in the authentication request login_hint is ignored."

  3. Jörg Connotte reporter

    According to meeting on July 12th 2017: I will amend the authentication spec with a passage that there must be an invalid request error if login_hint and login_hint_token are both present in the request.

  4. Jörg Connotte reporter

    I added a paragraph to the definition of login_hint_token in section 3 of openid-connect-modrna-authentication-1_0.xml

    to specify behaviour if more than one hint parameter is present.

       login_hint_token  OPTIONAL.  This is a new parameter.  The
          login_hint_token is used to transport a user identifier from the
          Discovery Service to the OpenID Provider without revealing this
          identifier to the client.  Section 6 specifies the structure of
          this parameter.  Protection of the login_hint_token's content is
          specified in Section 6.1.
          Only one of "login_hint_token", "id_token_hint" or "login_hint" is
          allowed.  If more than one of those parameters are present in the
          authentication request the server MUST return an "invalid_request"
  5. Log in to comment