Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define "explicit RO authentication" #139

Open
aaronpk opened this issue Mar 13, 2023 · 0 comments
Open

Define "explicit RO authentication" #139

aaronpk opened this issue Mar 13, 2023 · 0 comments
Labels
draft-00-feedback Feedback from reviews of draft -00 ietf-116

Comments

@aaronpk
Copy link
Member

aaronpk commented Mar 13, 2023

From RFC6749 Security Considerations

The authorization server SHOULD enforce explicit resource owner authentication and provide the resource owner with information about the client and the requested authorization scope and lifetime. It is up to the resource owner to review the information in the context of the current client and to authorize or deny the request.

What does this mean in practice?

  • Is it a full credential prompt regardless of whether one session already exists?
  • A selection between existing sessions, if present?
@aaronpk aaronpk added draft-00-feedback Feedback from reviews of draft -00 ietf-116 labels Mar 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
draft-00-feedback Feedback from reviews of draft -00 ietf-116
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aaronpk