On 2010-05-24, at 8:55 AM, Eran Hammer-Lahav wrote: > > >> -----Original Message----- >> From: Dick Hardt [mailto:[email protected]] >> Sent: Monday, May 24, 2010 7:35 AM >> To: Eran Hammer-Lahav >> Cc: OAuth WG ([email protected]) >> Subject: Re: [OAUTH-WG] 'immediate' without identity >> >> You were looking for use cases for immediate without identity. >> >> I agree that *if* the client does know the user, then it should tell the >> server. >> Are you saying that if the client does not know the user it should not use >> immediate? > > I think the server should reject an immediate request without a username. > Otherwise the server will be giving the client an access token that belongs > to another user.
Now I understand. I agree. -- Dick _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
