Authorization servers in the OAuth Web Callback flow and the User Agent flow should have the option to redirect back with access/refresh tokens without prompting the user, if the client has already been granted access to the protected resource.
This is already implied by some of the text (3.4.3.1 "After receiving (or establishing via other means) an authorization decision from the resource owner", but is not supported by the example flows. Suggested changes 3.4.1 Web Callback Flow (B) The authorization server authenticates the end user (via the user-agent) and *MAY prompt* the end user to grant or deny the client's access request. (C) *If authorization server determines the client has access to protected resource*, the authorization server redirects the user-agent back to the client to the callback URI provided earlier. The authorization includes a verification code for the client to use to obtain an access token 3.4.3 User Agent Flow (B) The authorization server authenticates the end user (via the user-agent) and *MAY prompt* the end user to grant or deny the client's access request. (C) *If authorization server determines the client has access to protected resource*, the authorization server redirects the user-agent to the redirection URI provided earlier. The redirection URI includes the access token in the URI fragment. Also, in cases where the authorization server doesn't prompt the user, we may want the ability for a client to ask for an immediate decision from the server instead of prompting the user using a parameter. Suggested changes: 3.4.1.1 Web Callback Flow | Client Requests Authorization 3.4.3.1 User Agent Flow | Client Requests Authorization (new parameter) immediate OPTIONAL. The parameter value must be set to "true" or "false" (case sensitive). If set to "true", then the authorization flow MUST check immediately if the client has access to protected resource and redirect back with a successful response or "user_denied" error without prompting the user. Evan
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
