Yep, we need to take care of that too. What I'm getting at is that it seems like we need a better story about identity and 'immediate' in OAuth which seems to be more about the use cases of the OpenID Connect proposal than the OAuth core proposal. However, since these use cases are very important to many of the participants here in the context of implementing *OAuth* (not OpenID), we should provide some support.
What I'm thinking is to take the 'immediate' parameter out, and write a simple OAuth identity extension spec where it will be included, as well as the requested 'username' parameter (or whatever we decide to call it). It will not include any discovery (which is probably going to be another spec), just how to establish and verify identity using OAuth once you know where the token endpoint is and have client credentials (registered). But back to my original email, what are the use cases for 'immediate' without identity? EHL > -----Original Message----- > From: Torsten Lodderstedt [mailto:[email protected]] > Sent: Sunday, May 23, 2010 2:38 AM > To: Eran Hammer-Lahav > Cc: OAuth WG ([email protected]) > Subject: Re: [OAUTH-WG] 'immediate' without identity > > > > > Are there use cases for the 'immediate' parameter where a companion > parameter for identity (e.g. 'username') is not needed or required? The > purpose of the 'immediate' parameter is for the authorization server to > authenticate the end user via some automatic means (usually a cookie) and > check if an access token was already issued for that end user / client > identifier combination. > > > > This parameter is only useful when the client is already familiar with the > end user (not the first time it seeks authorization), in which case, it should > pass that information along to make sure the same user is logged into the > authorization server. > > > > If all the use cases require both, we should include both and make one > required if the other is present. > > > > EHL > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > > > > How does the client determine the end-user's identity (at the AS) in the > initial authorization transaction? Will you introduce a respective response > parameter? > > regards, > Torsten. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
