Hi Justin
It helps, many thanks. I understand why 'MUST' is there now...
Cheers, Sergey
On 21/10/15 14:37, Justin Richer wrote:
You're assuming that the user actually took an action to get to that
page. It's trivial for a website, any website, to craft a URL and
redirect a user to the IdP. I could give you a link here in this email
hidden behind a URL shortener or some other redirector. It would be very
bad practice to release identity information to any site that was
capable of doing this, and it would be likewise bad to assume
authorization just because the user showed up at a URL. The ID token
contains information like a unique identifier and potentially other
claims (google puts in email addresses, for instance).
The common practice, codified in both OAuth2 and OIDC, is "Trust On
First Use", or TOFU. If it's a new situation (new client/RP, new scopes,
something else you're not sure about), you ask the user. Then you
(optionally) save that for next time, so if the same situation arises,
you already have the user's decision and you don't need to prompt them.
This can be further augmented by whitelisting trusted sites, where the
IdP/AS is making the authorization decision and not the user.
Hope this helps,
-- Justin
On 10/21/2015 9:06 AM, Sergey Beryozkin wrote:
Hi
I can not subscribe to an OIDC spec list, had some earlier questions
not flowing to the list and given I'm not sure this question is
irrelevant for this group (OIDC IDP is an OAuth2 server), I'm posting
it here. If you'd like me to re-post to the OIDC list then let me know
please...Sorry for a noise, just in case :-)
So, all the flows in OIDC Core have this section:
http://openid.net/specs/openid-connect-core-1_0.html#Consent
http://openid.net/specs/openid-connect-core-1_0.html#ImplicitConsent
http://openid.net/specs/openid-connect-core-1_0.html#HybridConsent
This is pure OAuth2 still.
What I do not understand, if the response_type is 'id_token' and the
requested scope is 'openid' only,
http://openid.net/specs/openid-connect-core-1_0.html#Authentication
then what is a consent screen really about ?
If the response_code is 'id_token' then a user has already given the
implicit authorization after visiting a client application web page
and clicking "Sign In With Google"/etc, and signing in into OIDC IDP.
I thought this is what "openid" alone is all about.
Can someone clarify please if it is reasonable to skip challenging a
user with a consent screen in this case.
Thanks, Sergey
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
