Overview#
Authorization Server Authentication of the End-User is when the OpenID Connect Authorization Server attempts to Authenticate the End-User or determines whether the End-UserONLY when the Authentication Request is valid, the Authorization Server attempts to Authenticate the End-User or determines whether the End-User is Authenticated, depending upon the Authentication Request parameters. The Authentication Methods used by the Authorization Server for Authentication of the End-User (e.g. username and password, session cookies, etc.) are beyond the scope of this specification. An Authentication user interface MAY be displayed by the Authorization Server, depending upon the request parameter values used and the Authentication Methods used.
The Authorization Server MUST attempt Authentication of the End-User in the following cases:
- The End-User is NOT already Authenticated.
- The Authentication Request contains the prompt Parameter with the value "login". In this case, the Authorization Server MUST re-authenticate the End-User even if the End-User is already authenticated.
The Authorization Server MUST NOT interact with the End-User in the following case:
- The Authentication Request contains the [prompt Parameter] with the value "none". In this case, the Authorization Server MUST return an OAuth Error if an End-User is not already Authenticated or could not be silently Authenticated.
When interacting with the End-User, the Authorization Server MUST employ appropriate measures against Cross-Site Request Forgery and Clickjacking as, described in Sections 10.12 and 10.13 of OAuth 2.0 RFC 6749.
