!!! Overview [{$pagename}] is when the [OpenID Connect] [Authorization Server] attempts to [Authenticate] the [End-User] or determines whether the [End-User] ONLY when the [Authentication Request] is valid, the [Authorization Server] attempts to [Authenticate] the [End-User] or determines whether the [End-User] is [Authenticated], depending upon the [Authentication Request] parameters. The [Authentication Methods] used by the [Authorization Server] for [Authentication] of the [End-User] (e.g. username and password, session cookies, etc.) are beyond the scope of this specification. An [Authentication] user interface [MAY] be displayed by the [Authorization Server], depending upon the request parameter values used and the [Authentication Methods] used. The [Authorization Server] [MUST] attempt [Authentication] of the [End-User] in the following cases: * The [End-User] is __NOT__ already Authenticated. * The [Authentication Request] contains the [prompt Parameter] with the value "login". In this case, the [Authorization Server] [MUST] re-authenticate the [End-User] even if the [End-User] is already [authenticated]. The [Authorization Server] [MUST NOT] interact with the [End-User] in the following case: * The [Authentication Request] contains the [[prompt Parameter] with the value "none". In this case, the [Authorization Server] [MUST] return an [OAuth Error] if an [End-User] is __not already__ [Authenticated] or could not be __silently Authenticated__. When interacting with the [End-User], the [Authorization Server] [MUST] employ appropriate measures against [Cross-Site Request Forgery|Cross-site request forgery] and Clickjacking as, described in Sections 10.12 and 10.13 of [OAuth 2.0] [RFC 6749]. !! More Information There might be more information for this subject on one of the following: [{ReferringPagesPlugin before='*' after='\n' }]