On Wed, May 8, 2019 at 9:38 AM Emond Papegaaij <emond.papega...@gmail.com> wrote:
> In our case or AS might have to federate the authentication to some other > AS, > that would only work in an iframe. Therefore, I think we will go for the > OIDC > prompt=none in a hidden iframe. I'm not sure what to do if the AS reports > that > interaction is required, but at least the majority of the cases will be > covered. > I've implemented OpenID Connect Session Management in two AS and one app (not a SPA though); Session Management uses prompt=none in a hidden iframe. When the AS redirects back with an error (login_required, interaction_required, etc.) the hidden iframe can communicate the error to the app (parent window), which then can display a message with a button/link to reauthenticate in a popup. prompt=none in a hidden iframe, plus interactions in a popup, look to me like the way to go (my use-case has always been authentication though, never authorizations alone, so maybe things would be different in your case).
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
