On 2010-05-24, at 8:55 AM, Eran Hammer-Lahav wrote: > > >> -----Original Message----- >> From: Dick Hardt [mailto:dick.ha...@gmail.com] >> Sent: Monday, May 24, 2010 7:35 AM >> To: Eran Hammer-Lahav >> Cc: OAuth WG (oauth@ietf.org) >> Subject: Re: [OAUTH-WG] 'immediate' without identity >> >> You were looking for use cases for immediate without identity. >> >> I agree that *if* the client does know the user, then it should tell the >> server. >> Are you saying that if the client does not know the user it should not use >> immediate? > > I think the server should reject an immediate request without a username. > Otherwise the server will be giving the client an access token that belongs > to another user.
Now I understand. I agree. -- Dick _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
