+1 to Dick. Eran - this is a very common use case. You can't require the client to know who the user is ahead of time.
If the other user is the one currently logged into the server, then that's the ID that is returned. It's up to the client to figure out what to do - in most cases, they will treat the identity returned from the server as authoritative. That's what single sign on is. On May 23, 2010, at 10:32 PM, Eran Hammer-Lahav wrote: > How does this work if there are two people using the same computer and the > other user is the one currently logged into the server? > > I think the client should be required to tell the server who the user is when > using immediate to avoid this problem. > > EHL > >> -----Original Message----- >> From: Dick Hardt [mailto:dick.ha...@gmail.com] >> Sent: Sunday, May 23, 2010 8:01 PM >> To: Eran Hammer-Lahav >> Cc: Torsten Lodderstedt; OAuth WG (oauth@ietf.org) >> Subject: Re: [OAUTH-WG] 'immediate' without identity >> >> On 2010-05-23, at 8:40 AM, Eran Hammer-Lahav wrote: >>> But back to my original email, what are the use cases for 'immediate' >> without identity? >> >> >> The client may not have any indication of which user it is, but want to >> check if >> it is a user they already know. They can do a check immediate, get the token, >> then make an API call to see which user it is. >> >> This would be the case if the user has used the client, but is now on a >> different machine or has cleared cookies. >> >> -- Dick > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
