Are there use cases for the 'immediate' parameter where a companion parameter
for identity (e.g. 'username') is not needed or required? The purpose of the
'immediate' parameter is for the authorization server to authenticate the end
user via some automatic means (usually a cookie) and check if an access token
was already issued for that end user / client identifier combination.
This parameter is only useful when the client is already familiar with the end
user (not the first time it seeks authorization), in which case, it should pass
that information along to make sure the same user is logged into the
authorization server.
If all the use cases require both, we should include both and make one required
if the other is present.
EHL
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
How does the client determine the end-user's identity (at the AS) in the
initial authorization transaction? Will you introduce a respective
response parameter?
regards,
Torsten.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
