G. Fletcher
Verizon Media
August 1, 2019

Initiating User Registration via OpenID Connect - draft 02
openid-connect-prompt-create-1_0

Abstract

An extension to the OpenID Connect Authentication Framework defining a new value for the prompt parameter that instructs the OpenID Provider to start the user flow with user registration and after the user account has been created return an authorization code to the client to complete the authentication flow.


Table of Contents

1. Introduction

Several years of deployment and implementation experience with OpenID Connect Core 1.0 has uncovered a need, in some circumstances, for the client to explicitly signal to the OpenID Provider that the user desires to create a new account rather than authenticate an existing identity.

This allows the client to indicate to the OpenID Provider that the user desires to create an account. This improves the user experience because the user doesn't have to first see the login form and then find the sign-up link on the form and select it before getting to the user's desired action.

This specification defines a new parameter value for the prompt parameter.

2. Requirements Notation and Conventions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

In the .txt version of this specification, values are quoted to indicate that they are to be taken literally. When using these values in protocol messages, the quotes MUST NOT be used as part of the value. In the HTML version of this specification, values to be taken literally are indicated by the use of this fixed-width font.

3. Terminology

This specification uses the terms "authorization endpoint", "authorization request", "authorization response", and "client" defined by The OAuth 2.0 Authorization Framework.

4. Prompt Parameter

In requests to the OpenID Provider, a client MAY indicate that the desired user experience is for the user to immediately see the user account creation UI instead of the login behavior.

prompt

A value of create indicates to the OpenID Provider that the client desires that the user be shown the account creation UX rather than the login flow. Care must be taken if combining this value with other prompt values. Mututally exclusive conditions can arise so it is RECOMMENDED that create not be present with any other values.

4.1. Authorization Request

When the prompt parameter is used in an authorization request to the authorization endpoint with the value of create, it indicates that client desires the user be shown the account creation experience rather than the login experience. This behavior is the same for both the implicit flow (Section 3.2 of OpenID Connect Core 1.0), and the authorization code flow (Section 3.1 of OpenID Connect Core 1.0).

For authorization requests sent as a JWTs, such as when using JWT Secured Authorization Request, a single prompt parameter value is represented as a JSON string while multiple values are represented as an array of strings.

If the OpenID Provider fails to parse the provided value(s) it should ignore the prompt parameter value and proceed as if the prompt parameter was not specified.

  GET /as/authorization.oauth2?response_type=token
     &client_id=example-client
     &state=XzZaJlcwYew1u0QBrRv_Gw
     &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Eorg%2Fcb
     &prompt=create HTTP/1.1
  Host: authorization-server.example.com

Figure 1: Implicit Flow Authorization Request

An example of an authorization request where the client tells the OpenID Provider that it wants the user to start from the account creation user experience is shown in Figure 1 below (extra line breaks and indentation are for display purposes only).

  GET /as/authorization.oauth2?response_type=code
     &client_id=s6BhdRkqt3
     &state=tNwzQ87pC6llebpmac_IDeeq-mCR2wLDYljHUZUAWuI
     &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Eorg%2Fcb
     &scope=calendar%20contacts
     &prompt=create HTTP/1.1
  Host: authorization-server.example.com

Figure 2: Code Flow Authorization Request

Below in Figure 2 is an example of an authorization request using the code response type where the the client tells the OpenID Provider that it wants the user to start from the account creation user experience (extra line breaks and indentation are for display purposes only).

5. Security Considerations

Placeholder for now

6. References

6.1. Normative References

[OpenID.Core] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B. and C. Mortimore, "OpenID Connect Core 1.0", November 2014.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.
[RFC3986] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005.
[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017.

6.2. Informative References

[I-D.ietf-oauth-jwsreq] Sakimura, N. and J. Bradley, "The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)", Internet-Draft draft-ietf-oauth-jwsreq-16, April 2018.
[RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization Framework: Bearer Token Usage", RFC 6750, DOI 10.17487/RFC6750, October 2012.
[RFC7519] Jones, M., Bradley, J. and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015.
[RFC7644] Hunt, P., Grizzle, K., Ansari, M., Wahlstroem, E. and C. Mortimore, "System for Cross-domain Identity Management: Protocol", RFC 7644, DOI 10.17487/RFC7644, September 2015.
[RFC7662] Richer, J., "OAuth 2.0 Token Introspection", RFC 7662, DOI 10.17487/RFC7662, October 2015.

Appendix A. Acknowledgements

This specification was developed within OpenID connect Working Group of the OpenID Foundation. Additionally, the following individuals contributed ideas, feedback, and wording that helped shape this specification:

William Dennis

Appendix B. Document History

[[ to be removed by the RFC Editor before publication as an RFC ]]

2019-02-01

Removed "MUST" normative text and replacec with concept that prompt=create is more of a hint to the OpenID Provider.

Author's Address

George Fletcher Verizon Media EMail: gffletch@aol.com