Seems like bad server policy to me. By limiting immediate mode to times when the client knows who the user is, the server keeps control over when to automatically issue access tokens to clients. After all, the server can use immediate mode even when not asked for.
The scenario you are talking about is the rare case of a user using a client for the first time on a given computer. This doesn't happen often. I am not suggesting that the spec will mandate usernames (thought I would never write a server allowing immediate without a username). I am simply asking if there are use cases where the two are completely unrelated. That is, unrelated enough to live in separate specifications (since the username/identity part is going to live elsewhere). BTW, single sign on is all about identity, even when implicit. You are suggesting a single sign on system in which no one cares if the same identity is maintained across applications. Odd. EHL > -----Original Message----- > From: Luke Shepard [mailto:[email protected]] > Sent: Monday, May 24, 2010 8:56 AM > To: Eran Hammer-Lahav > Cc: Dick Hardt; OAuth WG ([email protected]) > Subject: Re: [OAUTH-WG] 'immediate' without identity > > +1 to Dick. > > Eran - this is a very common use case. You can't require the client to know > who the user is ahead of time. > > If the other user is the one currently logged into the server, then that's the > ID that is returned. It's up to the client to figure out what to do - in most > cases, they will treat the identity returned from the server as authoritative. > That's what single sign on is. > > On May 23, 2010, at 10:32 PM, Eran Hammer-Lahav wrote: > > > How does this work if there are two people using the same computer and > the other user is the one currently logged into the server? > > > > I think the client should be required to tell the server who the user is > > when > using immediate to avoid this problem. > > > > EHL > > > >> -----Original Message----- > >> From: Dick Hardt [mailto:[email protected]] > >> Sent: Sunday, May 23, 2010 8:01 PM > >> To: Eran Hammer-Lahav > >> Cc: Torsten Lodderstedt; OAuth WG ([email protected]) > >> Subject: Re: [OAUTH-WG] 'immediate' without identity > >> > >> On 2010-05-23, at 8:40 AM, Eran Hammer-Lahav wrote: > >>> But back to my original email, what are the use cases for 'immediate' > >> without identity? > >> > >> > >> The client may not have any indication of which user it is, but want > >> to check if it is a user they already know. They can do a check > >> immediate, get the token, then make an API call to see which user it is. > >> > >> This would be the case if the user has used the client, but is now on > >> a different machine or has cleared cookies. > >> > >> -- Dick > > > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
