SL1 - tenancy in third-party initiated login

[dickhardt]

Multi-tenant OPs commonly use the unspecified parameter domain_hint to indicate which tenant to use. I suggest we define that for the third-party initiated login and as an authorization request parameter.

Similarly, in multi-tenant clients that use different client_id values for each tenant, a client_id parameter to the third-party initiated login endpoint would allow clients to not embed tenant information in the initiate_login_uri.

[dhs-BI]

As discussed on the call on March 11, this work should move to the Connect WG.

[dickhardt]

Adding more clarification per the call.

The domain_hint query parameter would be added to the third party initiated login and the authorization request. It would contain the domain that the OP would use to determine the tenant.

The client_id query parameter would be added to the third party initiated login so that a multi tenant RP would know which client_id to use in the authorization request

The tenant claim that is currently in the OpenID Provider Commands draft could be included in the same document, and we might as well through session_lifetime in there as well! :)

[dhs-BI]

With the agreement to move this to the AB Connect WG, I'm going to close this issue. I'll let the chairs of AB Connect determine how best to move this forward in that WG so that we may include these params in the future IPSIE profile.

For further details, see the thread on the AB Connect mailing list: https://lists.openid.net/pipermail/openid-specs-ab/2025-March/010661.html.

cc: @selfissued @sakimura @ve7jtb

[dickhardt]

How about we leave this open until work starts over in Connect? Closing it makes it hard to find

[dhs-BI]

Fair enough @dickhardt, reopening at your request.

[dhs-BI]

@dickhardt assigning this to you for follow up and to keep us up to date on how this work progresses in AB Connect.

[dickhardt]

linking #60 to be part of same workstream in A/B-connect