Help get this topic noticed by sharing it on Twitter, Facebook, or email.

OP initiated login reflects valid OpenID Connect workflow?


I have a question regarding OpenID Connect and its workflows. In the documentation I've found that in the normal workflow the RP (client) will send a request to the OpenID Provider (OP) which would ideally contain the nonce parameter to mitigate replay attacks.

My question is, if a solution with OP initiated login would also reflect a valid workflow by means of the OpenId Connect protocol or not? In details that means the OP initiated login would redirect to the RP redirect_uri directly, sending in the ID_token for validation. I know that this is less secure, but I want to know if that worklfow would still reflect a valid workflow or if this should be not supported.

Patrick Penkala
1 person has
this question