> Are there use cases for the 'immediate' parameter where a companion parameter > for identity (e.g. 'username') is not needed or required?
Yes. A client app might want to offer a bit of personalization if it can provide it silently (eg by reading a protected resource on a visitor’s behalf), regardless of whether or not it has identified the visitor yet. I don't think it is necessary (or helpful) to tie "immediate" and "username" together. -- James Manger -----Original Message----- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Sunday, 23 May 2010 4:07 PM To: OAuth WG (oauth@ietf.org) Subject: [OAUTH-WG] 'immediate' without identity Are there use cases for the 'immediate' parameter where a companion parameter for identity (e.g. 'username') is not needed or required? The purpose of the 'immediate' parameter is for the authorization server to authenticate the end user via some automatic means (usually a cookie) and check if an access token was already issued for that end user / client identifier combination. This parameter is only useful when the client is already familiar with the end user (not the first time it seeks authorization), in which case, it should pass that information along to make sure the same user is logged into the authorization server. If all the use cases require both, we should include both and make one required if the other is present. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
