Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implicit flow: id_token_hint, prompt=none #990

Open
srenatus opened this issue Jul 12, 2017 · 5 comments
Open

Implicit flow: id_token_hint, prompt=none #990

srenatus opened this issue Jul 12, 2017 · 5 comments
Labels
area/usability help wanted kind/enhancement

Comments

@srenatus
Copy link
Contributor

The OpenID Connect Implicit Client Implementer's Guide 1.0 - draft 20 mentions in 2.1.1.1 Request Parameters:

id_token_hint
OPTIONAL. ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return an error. When possible, an id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need not be listed as an audience of the ID Token when it is used as an id_token_hint value.

This would make the interaction between the user (operating a web frontend) and their IdP more streamlined:

  • the implicit grants gets the UI an id_token and an access_token, and, when they've expired,
  • the UI forwards the user to /auth?id_token_hint=$EXPIRED_ID_TOKEN,
  • dex would then figure out the right connector from the old id_token, and forward the user without presenting the connector selection.

Am I missing something already existing in dex? I think I've poked around a bit, I couldn't find anything resembling login hints in the current code.

By any chance, is this on your roadmap? Also: would you like a PR? Or is this something you don't want dex to support?

Cheers
Stephan
@srenatus
Copy link
Contributor Author

srenatus commented Nov 9, 2017

I imagine this could also be useful for enabling slient refresh, see for example this approach of angular-oauth2-oidc.

@srenatus srenatus changed the title Implicit grant: id_token_hint, prompt=none Implicit flow: id_token_hint, prompt=none Nov 10, 2017
This was referenced Nov 10, 2017
Open
Open
Closed
@srenatus srenatus mentioned this issue Sep 19, 2018
Closed
@scotthew1
Copy link
Contributor

hey @srenatus i know this one's a bit old, but has there been any further thought put into this feature? seems like a nice one to have

@srenatus
Copy link
Contributor Author

@scotthew1 Sorry I had missed that last question for a while... uhm, I've added tags 😅 ...Help welcome! I still think it would be a cool enhancement, and not blowing up Dex' focus too much.

@srenatus srenatus mentioned this issue May 10, 2019
Open
@publicvirtualvoid
Copy link

From my limited understanding, this is what I would need in order to get refresh tokens working using my (implicit) flow. Does that sound plausible, or should I be using something else?

@scotthew1 scotthew1 mentioned this issue Aug 2, 2019
Open
@scotthew1
Copy link
Contributor

hey @srenatus just opened #1508 to handle id_token_hint. looking for feedback as this just handles that one parameter and i'm not sure how to best handle prompt since the various options seem to extend beyond the scope of this issue.

@jarrettprosser jarrettprosser mentioned this issue Aug 12, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/usability help wanted kind/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@srenatus @scotthew1 @publicvirtualvoid