> -----Original Message----- > From: Dick Hardt [mailto:dick.ha...@gmail.com] > Sent: Monday, May 24, 2010 7:35 AM > To: Eran Hammer-Lahav > Cc: OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] 'immediate' without identity > > You were looking for use cases for immediate without identity. > > I agree that *if* the client does know the user, then it should tell the > server. > Are you saying that if the client does not know the user it should not use > immediate?
I think the server should reject an immediate request without a username. Otherwise the server will be giving the client an access token that belongs to another user. Let me rephrase this: is anyone here planning on supporting 'immediate' for cases where the client don't know who the user is and just wants access to whoever last logged into the server? Basically ignoring the chance more than one user is using the computer, or trusting the client to then get the username and ask the user if it is them (after getting an access token for someone else and making at least one call for their identity). EHL > -- Dick > > On 2010-05-23, at 10:32 PM, Eran Hammer-Lahav wrote: > > > How does this work if there are two people using the same computer and > the other user is the one currently logged into the server? > > > > I think the client should be required to tell the server who the user is > > when > using immediate to avoid this problem. > > > > EHL > > > >> -----Original Message----- > >> From: Dick Hardt [mailto:dick.ha...@gmail.com] > >> Sent: Sunday, May 23, 2010 8:01 PM > >> To: Eran Hammer-Lahav > >> Cc: Torsten Lodderstedt; OAuth WG (oauth@ietf.org) > >> Subject: Re: [OAUTH-WG] 'immediate' without identity > >> > >> On 2010-05-23, at 8:40 AM, Eran Hammer-Lahav wrote: > >>> But back to my original email, what are the use cases for 'immediate' > >> without identity? > >> > >> > >> The client may not have any indication of which user it is, but want > >> to check if it is a user they already know. They can do a check > >> immediate, get the token, then make an API call to see which user it is. > >> > >> This would be the case if the user has used the client, but is now on > >> a different machine or has cleared cookies. > >> > >> -- Dick > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
