Suppose the client does not have a username - say, because the cookie expired. What is the appropriate behavior?
Would you require the client to spawn a popup or redirect to a full page auth every time a user revisits their site? This doesn't make sense. Under what circumstances do you think the client gives an access token that belongs to another user? If the user is logged into the service provider, then they can get that access token anyway by just visiting the service provider ... On May 24, 2010, at 11:18 AM, Dick Hardt wrote: > > On 2010-05-24, at 8:55 AM, Eran Hammer-Lahav wrote: > >> >> >>> -----Original Message----- >>> From: Dick Hardt [mailto:[email protected]] >>> Sent: Monday, May 24, 2010 7:35 AM >>> To: Eran Hammer-Lahav >>> Cc: OAuth WG ([email protected]) >>> Subject: Re: [OAUTH-WG] 'immediate' without identity >>> >>> You were looking for use cases for immediate without identity. >>> >>> I agree that *if* the client does know the user, then it should tell the >>> server. >>> Are you saying that if the client does not know the user it should not use >>> immediate? >> >> I think the server should reject an immediate request without a username. >> Otherwise the server will be giving the client an access token that belongs >> to another user. > > Now I understand. I agree. > > -- Dick > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
