search

openid / AppAuth-Android

Android client SDK for communicating with OAuth 2.0 and OpenID Connect providers.
https://openid.github.io/AppAuth-Android
Apache License 2.0
2.87k stars 887 forks source link

Support "id_token_hint" OpenID Connect auth request parameter #17

Open iainmcgin opened 8 years ago

iainmcgin commented 8 years ago

OpenID Connect Core 1.0, Section 3.1.2.1, id_token_hint parameter:

OPTIONAL. ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need not be listed as an audience of the ID Token when it is used as an id_token_hint value.

If the ID Token received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the id_token_hint value.

alixwar commented 2 years ago

This became more of a problem now with this issue in KeyCloak 18: https://github.com/keycloak/keycloak/issues/12680

coskunuyar commented 2 years ago

where to find the value of id_token_hint ?

alixwar commented 2 years ago

where to find the value of id_token_hint ?

I'm not sure exactly what you are asking for but here is a description in §2. RP-Initiated Logout, https://openid.net/specs/openid-connect-rpinitiated-1_0.html

"RECOMMENDED. ID Token previously issued by the OP to the RP passed to the Logout Endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP."

alixwar commented 2 years ago

This issue can be closed.

"id_token_hint" is actually the id_token value. And it is already possible to send this parameter:

 checkNotNull(authorizationService).performEndSessionRequest(
            EndSessionRequest.Builder(checkNotNull(authStateManager.current.authorizationServiceConfiguration))
                .setAdditionalParameters(mapOf(Pair("client_id", CLIENT_ID)))
                .setIdTokenHint(authStateManager.current.idToken)
                .setPostLogoutRedirectUri(REDIRECT_URL)
                .build(),
            completedIntent
        )
ralfhecktor commented 1 year ago

This issue can not be closed in my opinion as the initial request seems still to be valid. The code you mentioned @alixwar is only for logout. The initial request was for the authorization request. I would also be interested in an current status of this request. Thanks.