Added mandatory support of prompt=login

[deansaxe]

Following discussion on July 15, 2025 IPSIE call, new language has been added to require support for prompt=login. Related to openid/ipsie#92.

[deansaxe]

@deansaxe to review https://openid.net/specs/openid-connect-rpinitiated-1_0.html and update the wording if necessary to accommodate sessions.

[deansaxe]

Is there any expectation that the IdP session identifier remains static on reauthentication? (See notes from July 22 2025 meeting.)

[deansaxe]

Following the July 22, 2025 meeting, I took an action item to look at https://openid.net/specs/openid-connect-session-1_0.html (OIDC Session Management) and https://openid.net/specs/openid-connect-rpinitiated-1_0.html (OIDC RP Initiated Logout) to see if there are any relevant details that need to be pulled into IPSIE OIDC SL1.

There are a few different issues to consider here, session management and the ability of the RP to force logout. I don't believe that IPSIE has considered session management at SL1 beyond, "Application-specific session lifetime MUST be set from the assertion" (see https://github.com/openid/ipsie/blob/main/ipsie-levels.md). SL1 does not include any provisions for OP or RP initiated logout, however, these are included at SL2/3.

As a WG, we need to determine whether session management for the identity service is included at SL1. In the absence of a requirement for session management at SL1, I do not believe there are further actions to take on this PR. As always, if you feel differently, please let me know so we can find the path forward.