Accueil > OpenID Connect OAuth Server dedicated > Develop > OpenID Connect > id_token_hint : Silent Re-authentication of subject with ID (...)

id_token_hint : Silent Re-authentication of subject with ID Token

Authenticating subject with ID Token is an option of OpenID Connect Authorization code flow.
To fulfill the OpenID Connect certification, it is necessary to complete the test "OP-Req-id_token_hint".
The Brent Shaffer’s oauth2-server-php library does’nt process id_token_hint. OAuthSD will take care of it.

The use case consist to call Authorize using prompt=none and passing ID Token in id_token_hint parameter.

The specification states :

OPTIONAL. ID Token previously issued by the Authorization Server being passed as a hint about the End-User’s current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response ; otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be returned if it is not ; however, the server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need not be listed as an audience of the ID Token when it is used as an id_token_hint value.

OAuthSD Implementation of id_token_hint processing

If the call to Authorize includes the id_token_hint parameter, we will verify the JWT signature. If Ok, we will adopt the sub claim for user_id and continue normally with prompt = none processing.

The phrase "or is connected by the request" may cover a mechanism such as silent reauthentication (SRA). This is what OAuthSD do : the process is then to extend the OIDC session, ie refresh the SLI cookie, whether the user is logged in or not.
The authorize controller will respond with an authorization code, and the application will re-request the tokens, which will cause the access token to refresh.
Thus, the user will be (re)connected, seen from the server, for the full lifetime of the new access token. we will not place much trust in this method, so acr_value will be set to 1.

The administrator can control the process with REAUTHENTICATE_BY_ID_TOKEN and DO_SRA_ON_ID_TOKEN configuration constants (set by default to true).

Security note

When you do an authentication with prompt = ’none’, you should always include id_token_hint. More precisely, querying Authorize with prompt = ’none’ without id_token_hint can not be considered as an end-user authentication, but as a simple information on the declared user connection.

Notes :
- If user_id is enforced by client registration, the ID Token sub claim should be identical, or the process will fail.
- Prompt = ’none’ excludes prompting of user. The expression "or is logged in by the request" may cover such mechanism as Silent Re-Authentication (SRA). It is what OAuthSD allows to do.

See also :
- OpenID Connect : SSO, session management etc..