[keycloak-dev] id_token_hint

Stian Thorgersen sthorger at redhat.com
Fri Oct 9 01:41:32 EDT 2015


It wasn't on our road map, but it looks easy to add

On 9 October 2015 at 07:16, Michael Gerber <gerbermichi at me.com> wrote:

> Hi,
> Do you have any plans to include the id_token_hint in the near future?
> id_token_hintOPTIONAL. ID Token previously issued by the Authorization
> Server being passed as a hint about the End-User's current or past
> authenticated session with the Client. If the End-User identified by the ID
> Token is logged in or is logged in by the request, then the Authorization
> Server returns a positive response; otherwise, it SHOULD return an error,
> such as login_required. When possible, an id_token_hint SHOULD be present
> when prompt=none is used and an invalid_request error MAY be returned if
> it is not; however, the server SHOULD respond successfully when possible,
> even if it is not present. The Authorization Server need not be listed as
> an audience of the ID Token when it is used as an id_token_hint value.If
> the ID Token received by the RP from the OP is encrypted, to use it as an
> id_token_hint, the Client MUST decrypt the signed ID Token contained
> within the encrypted ID Token. The Client MAY re-encrypt the signed ID
> token to the Authentication Server using a key that enables the server to
> decrypt the ID Token, and use the re-encrypted ID token as the
> id_token_hint value.
> Best
> Michael
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151009/a361f682/attachment.html 


More information about the keycloak-dev mailing list