Skip to content

Set id_token_hint in authorize URL from session#300

Merged
vlaurin merged 2 commits intomainfrom
authorize-id-token-hint
Mar 6, 2025
Merged

Set id_token_hint in authorize URL from session#300
vlaurin merged 2 commits intomainfrom
authorize-id-token-hint

Conversation

@vlaurin
Copy link
Copy Markdown
Contributor

@vlaurin vlaurin commented Mar 6, 2025

When an ID token is present in an existing session (ie. re-authentication for a session with expired access/refresh tokens), pass the ID token to the authorisation server via the id_token_hint request parameter. While this may not be supported by all OIDC providers, the ones which do support it can use it to validate the user being re-authenticated is the same as the current SSO session, if one exists.

See: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

vlaurin added 2 commits March 6, 2025 17:00
@vlaurin
Set id_token_hint in authorize URL from session
d11d681 
When an ID token is present in an existing session (ie. re-authentication for a session with expired access/refresh tokens), pass the ID token to the authorisation server via the `id_token_hint` request parameter.
While this may not be supported by all OIDC providers, the ones which do support it can use it to validate the user being re-authenticated is the same as the current SSO session, if one exists.

See: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
@vlaurin
Clean up unused variable
06cc48b
@vlaurin vlaurin merged commit 81e3ffb into main Mar 6, 2025
7 checks passed
@vlaurin vlaurin deleted the authorize-id-token-hint branch March 6, 2025 17:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gbenadikar gbenadikar gbenadikar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vlaurin @gbenadikar