Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Define "explicit RO authentication" #139

Open
aaronpk opened this issue Mar 13, 2023 · 0 comments
Open

Define "explicit RO authentication" #139

aaronpk opened this issue Mar 13, 2023 · 0 comments
Labels
draft-00-feedback Feedback from reviews of draft -00 ietf-116

Comments

@aaronpk
Copy link
Member

aaronpk commented Mar 13, 2023

From RFC6749 Security Considerations

The authorization server SHOULD enforce explicit resource owner authentication and provide the resource owner with information about the client and the requested authorization scope and lifetime. It is up to the resource owner to review the information in the context of the current client and to authorize or deny the request.

What does this mean in practice?

  • Is it a full credential prompt regardless of whether one session already exists?
  • A selection between existing sessions, if present?
@aaronpk aaronpk added draft-00-feedback Feedback from reviews of draft -00 ietf-116 labels Mar 13, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
draft-00-feedback Feedback from reviews of draft -00 ietf-116
Projects
None yet
Development

No branches or pull requests

1 participant