OIDC Compliance: allow prompt=none

[jjg-123]

The specification requires allowing for prompt=none in the authentication request (https://openid.net/specs/openid-connect-core-1_0.html 3.1.2.1). What is required is that if the user supplies a valid id token in the token_hint, the server verifies a current login and responds with a code, allowing a user who has authenticated to get a new access token.

This is a terrible idea.

The request requires only the client id (no secret) and would allow for anyone who has an id token to assume the identity of that user. Without e.g. the secret, there is no guarantee that the server is making the request. it is true that the response is sent to the callback endpoint, but that is not strong enough.

Propose making this an option that can enabled, but the default for OA4MP is to disallow it.

[msalle]

I agree it is not a good idea. I guess it is linked to the idea the the id_token should not be passed around (unlike the access_token), but this is not enforced in the spec and cannot be verified by the OP.