Multiple Redirects #6
Assignees
Comments
|
Presumably, the first destination of the redirect is already within the administrative domain of the IdP, even if it's not yet at the identity-token-issuing endpoint. It's the IdP's responsibility to remember the information about the referred token binding while it's redirecting the client further. It can do this in a variety of different way - for example by including a (signed) query parameter to the next redirect URL that includes the token binding id that the id token should be bound to. To keep the spec simple, I would therefore suggest that we only include the referred token binding in the first redirect - the one that that had the Include-Referer-Token-Binding-ID header together with the 302/301 status code. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a user agent gets redirects from an RP to an IdP, this redirection might happen over multiple "hops". How do we make sure that the final hop (IdP) gets the information about the user agent's token binding ID with the original hop (RP) across these multiple hops?
The text was updated successfully, but these errors were encountered: