Sergey, I agree, the text may still be a bit awkward. What I was trying to open the door to is that some client may not actually want access to the resource in question -- they just want to authenticate the user.
So, if the client has an empty scope, the AS could interpret that as an authentication only request and it doesn't have to return an access token. Phil @independentid www.independentid.com phil.h...@oracle.com On 2013-08-28, at 2:27 AM, Sergey Beryozkin <sberyoz...@gmail.com> wrote: > Hi Phil, > > A have a question, re: > > "The authorization server MUST: > > -Perform the normal OAuth2 authorization process, > -MAY elect not to request consent if no access token is to be > issued (i.e. this is an authentication only request), > " > > This last statement confuses me, given that the Authentication Response > "is identical to the one described in Section 4.1.2 [RFC6749]." > > In other words, the client may only request the login but get the 'code' back > without the user consent ? This seems wrong but may be I'm missing something ? > > Thanks, Sergey > > > >> >> On 2013-08-27, at 12:52 PM, Phil Hunt <phil.h...@oracle.com >> <mailto:phil.h...@oracle.com>> wrote: >> >>> FYI. Based on feedback from Berlin, Tony and I have revised the draft >>> to include: >>> >>> * Alignment with OpenID Connect (using id_token) >>> * Always returns a JWT >>> * Minimum assertion level on request >>> * Return information about the type of authentication performed >>> >>> Thanks for your input. >>> >>> Phil >>> >>> @independentid >>> www.independentid.com <http://www.independentid.com/> >>> phil.h...@oracle.com <mailto:phil.h...@oracle.com> >>> >>> >>> Begin forwarded message: >>> >>>> *From: *internet-dra...@ietf.org <mailto:internet-dra...@ietf.org> >>>> *Subject: **New Version Notification for >>>> draft-hunt-oauth-v2-user-a4c-01.txt* >>>> *Date: *27 August, 2013 8:56:45 AM PDT >>>> *To: *Phil Hunt <phil.h...@yahoo.com <mailto:phil.h...@yahoo.com>>, >>>> Anthony Nadalin <tony...@microsoft.com >>>> <mailto:tony...@microsoft.com>>, Tony Nadalin <tony...@microsoft.com >>>> <mailto:tony...@microsoft.com>> >>>> >>>> >>>> A new version of I-D, draft-hunt-oauth-v2-user-a4c-01.txt >>>> has been successfully submitted by Phil Hunt and posted to the >>>> IETF repository. >>>> >>>> Filename:draft-hunt-oauth-v2-user-a4c >>>> Revision:01 >>>> Title:OAuth 2.0 User Authentication and Consent For Clients >>>> Creation date:2013-08-27 >>>> Group:Individual Submission >>>> Number of pages: 10 >>>> URL: >>>> http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01.txt >>>> Status: http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c >>>> Htmlized: http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01 >>>> Diff: http://www.ietf.org/rfcdiff?url2=draft-hunt-oauth-v2-user-a4c-01 >>>> >>>> Abstract: >>>> This specification defines a new OAuth2 endpoint that enables user >>>> authentication session and consent information to be shared with >>>> client applications. >>>> >>>> >>>> >>>> >>>> Please note that it may take a couple of minutes from the time of >>>> submission >>>> until the htmlized version and diff are available at tools.ietf.org >>>> <http://tools.ietf.org/>. >>>> >>>> The IETF Secretariat >>>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listi > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
