Stream: smart
Topic: OIDC id_token_hint for SSO
Sagar Shah (Dec 16 2020 at 02:52):
An application on OpenID login gets user's ID_Token. Can/Shall it use it as a id_token_hint to silently authenticate the login, when launching another App (for another oauth client) and? Is it a good practice or can it pose a security threat and should be prevented by Auth server?
Josh Mandel (Dec 16 2020 at 03:42):
This is more a question about use of prompt=none (rather than token hints). In any case, we don't make any particular recommendation about this in SMART, but it's something you'd want to consider cautiously (especially when the request isn't for SSO only, but for clinical access scopes too).
Sagar Shah (Dec 16 2020 at 04:10):
Thanks again for clarifications and recommendations here.
Last updated: Apr 12 2022 at 19:14 UTC
