User 1 is logged into Client site User 2 is logged into IDP site This can happen quite frequently, as client sites often have long-lived cookies and may only be visited by one user on a shared computer.
Right now client site has no way to ask for a token for User 1, and end result will be that User 1 starts seeing User 2's data. On Mon, Apr 19, 2010 at 8:37 AM, Eran Hammer-Lahav <e...@hueniverse.com>wrote: > How can they both be logged in? I have never seen a case where two users > can be both logged into to the same service at the same time... > > EHL > > > > On 4/19/10 8:33 AM, "Evan Gilbert" <uid...@google.com> wrote: > > More details on this enhancement. > > Goal: Make sure you get an access token for the right user in immediate > mode. > > Use case where we have problems if we don't have username parameter: > > 1. Bob is logged into a web site as b...@idp.com. > 2. Mary (his wife) is logged into IDP on the same computer as > m...@idp.com > 3. A request is made to get an access token via the User-Agent flow in > immediate mode (or with any redirect without prompting the user) > 4. -ob now has an access token for Mary and (posts activities, > schedules events, gets contacts) as Mary > 5. Hilarity ensues > > > Secondary goal: Provide a hint for non-immediate mode > > On Thu, Apr 15, 2010 at 11:55 AM, Eran Hammer-Lahav <e...@hueniverse.com> > wrote: > > Evan Gilbert proposed a 'username' request parameter to allow the client to > limit the end user to authenticate using the provided authorization server > identifier. The proposal has not been discussed or supported by others, and > has not received a security review. > > Proposal: Obtain further discussion and support from others, as well as a > security review of the proposal. Otherwise, do nothing. > > EHL > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
