Parameter "id_token_hint" is ignored

[sgomez]

According https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.1

id_token_hint is a ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client.

This parameter is ignored

[mrvanes]

Currently Microsoft has an External Authentication Method [1] in preview that allows 3rd party OIDC providers to provide Entra ID MFA for Azure based applications. The authorization call contains a signed id_token_hint that needs to be parsed and verified and requires the OP to return the authorization result as a form_post.
It would be nice if the simpleSAMLphp OIDC module would support these requests.

[1] https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-external-method-provider#microsoft-entra-id-call-to-the-external-identity-provider

[cicnavi]

Note for response mode related specs:

• query, fragment (supported): https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html
• form_post (not supported): https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html