the security considerations section does recommend to not automatically
process repeated authorizations without validating the client's identity
The authorization server SHOULD NOT automatically, without active
end-user interaction, process repeated authorization requests without
authenticating the client or relying on other measures to ensure the
repeated request comes from a valid client and not an impersonator.
BTW: I would suggest to rephrase the last part to "... comes from the
same client as authorized by the original authorization request"
regards,
Torsten.
Am 31.05.2011 21:06, schrieb Brian Campbell:
On Tue, May 31, 2011 at 12:00 PM, Doug Tangren <[email protected]
<mailto:[email protected]>> wrote:
I think there is still a usability issue with the implicit flow in
general where there is no way in the spec to obtain an access
token without re-asking the user for authorization a second time
even if the user has already authorized your client.
I don't think there is anything in the spec (correct me if I'm wrong)
saying that an AS couldn't "remember" a user's authorization for a
given client using implicit so as to avoid subsequent prompts for
authorization?
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
