Add recommendations/considerations for user provisioning #71
Description
In the flow proposed by this draft, it is possible for a client to send a token exchange request concerning a user that the resource authorization server has never seen before, e.g. (using the terminology in 4.1) if I try to connect the chat app to the wiki app using my enterprise IdP without ever having created a chat app account.
What should happen in this scenario? I see a few options:
- The chat app should take the ID-JAG token subject to the IdP and JIT provision a user based on the IdP's response. I think this would lead to a somewhat meaningless grant -- if I don't have a chat app account, what exactly would the wiki app gain from this anyway? Also, depending on the chat app's UX, this might spring a whole user onboarding flow on the user in the middle of the authz request.
- The chat app should return a user not found error to the wiki app. I think this makes the most sense.
- The IdP should not even issue an ID-JAG if it knows the user doesn't have a chat app account. This relies on the IdP always knowing whether the account exists, with high confidence, so I'm not sure it's a viable option.
In any case, I think it'd be helpful for the draft to address this scenario.