Closed gffletch closed 3 months ago
I don't think we need to say anything in particular about this. If the AS wants to redirect the browser to a different IDP, it would have to do its own OIDC flow to that IDP anyway, so a shortcut like this wouldn't work anyway.
Like other endpoints, there is no current requirement that the
authorization_challenge_endpoint
is on the same domain as theauthorization_endpoint
ortoken_endpoint
. Given that the sequence is really an authentication sequence, is it ok for the flow to occur at a different endpoint (like an Authorization Server redirecting the browser to a different IDP for authentication). Do we need to support such a concept?