In OAuth 2 the A is Authorization, not Authentication. Not all flows support user interaction, so it can't be a MUST present dialog, as that may not be possible.
For flows such as code and implicit the Authorization server should present the user with a choice of allowing the requested scopes. Depending on the protected resource and client the Authorization server may not present each scope individually, it would depend on the API being protected. Your question seems to presume some sort of federated login like Facebook Connect, or openID Connect. The specifics of using OAuth for federated login are out of scope for the core OAuth spec. In those cases you need to inform the user and involve extensions to OAuth for security and dealing with login sessions. You can look at openID Connect or Googles documentation on using OAuth for SSO to get more information on that use-case. On 2012-08-03, at 6:23 AM, Jérôme LELEU wrote: > Said like that, I feel totally stupid... but it's not totally without their > consent, they previously clicked on the "Authenticate at the OAuth provider" > link... > > I understand that it's mandatory. > > Thanks, > Jérôme > > > > 2012/8/3 Doug Tangren <[email protected]> > > What are the security concerns about not having such "Allow / disallow" > screen ? > > Obtaining access to a user's data without their consent? > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
