How does this work if there are two people using the same computer and the other user is the one currently logged into the server?
I think the client should be required to tell the server who the user is when using immediate to avoid this problem. EHL > -----Original Message----- > From: Dick Hardt [mailto:[email protected]] > Sent: Sunday, May 23, 2010 8:01 PM > To: Eran Hammer-Lahav > Cc: Torsten Lodderstedt; OAuth WG ([email protected]) > Subject: Re: [OAUTH-WG] 'immediate' without identity > > On 2010-05-23, at 8:40 AM, Eran Hammer-Lahav wrote: > > But back to my original email, what are the use cases for 'immediate' > without identity? > > > The client may not have any indication of which user it is, but want to check > if > it is a user they already know. They can do a check immediate, get the token, > then make an API call to see which user it is. > > This would be the case if the user has used the client, but is now on a > different machine or has cleared cookies. > > -- Dick _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
