A very happy New Year to all readers.
The LTI 1.3 Core Specification allows the
sub claim to be omitted from a resource link launch request message (see 188.8.131.52), thereby overriding the required status of this claim as defined in the IMS Security Framework (Version 1.0, 5.1.2). This leads me to ask the following questions:
- Why are anonymous deep linking messages not also allowed? [Section 3.4.5 of the Deep Linking Specification (Version 2.0) describes the
subclaim as being required.]
- In the OpenID connect launch flow, the
login_hintis required and should be a hint about the login identifier the End-User might use to log in (IMS Security Framework, Version 1.0, 184.108.40.206). Does this mean the user ID must be passed in this parameter, even when the subsequent message is anonymous? If not, is there any guidance on what value should be passed, or whether the parameter should be omitted?