Thanks for your review, Thomas. The “prompt=consent” definition being missing
is an editorial error. It should be:
consent
The Authorization Server SHOULD prompt the End-User for consent before
returning information to the Client. If it cannot obtain consent, it MUST
return an error, typically consent_required.
I’ll plan to add it in the next draft.
I agree that there’s no difference between a response with multiple “amr”
values that includes “mfa” and one that doesn’t. Unless a clear use case for
why “mfa” is needed can be identified, we can delete it in the next draft.
-- Mike
From: Thomas Broyer [mailto:t.bro...@gmail.com]
Sent: Monday, July 21, 2014 1:47 PM
To: Mike Jones
Cc: <oauth@ietf.org>
Subject: Re: [OAUTH-WG] FW: New Version Notification for
draft-hunt-oauth-v2-user-a4c-05.txt
The end of section 2.2 talks about prompt=consent but the value is not defined
above.
Also, I don't understand the note about "pwd" being used by a service. In which
scenario would that happen?
Finally, what's the difference between providing several values for "amr" with
and without including "mfa"? IOW, what's the use case for mfa?
Le 21 juil. 2014 21:06, "Mike Jones"
<michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>> a écrit :
Changes in this version are:
• Added the Authentication Method Reference Values registry.
• Renamed the code_for_id_token grant type to
urn:ietf:params:oauth:grant-type:code-for-id-token to conform to Section 4.5 of
RFC 6749.
-- Mike
-----Original Message-----
From: internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>
[mailto:internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>]
Sent: Monday, July 21, 2014 12:00 PM
To: Phil Hunt; Anthony Nadalin; Phil Hunt; Mike Jones; Anthony Nadalin; Mike
Jones
Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt
A new version of I-D, draft-hunt-oauth-v2-user-a4c-05.txt
has been successfully submitted by Michael B. Jones and posted to the IETF
repository.
Name: draft-hunt-oauth-v2-user-a4c
Revision: 05
Title: Providing User Authentication Information to OAuth
2.0 Clients
Document date: 2014-07-21
Group: Individual Submission
Pages: 19
URL:
http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-05.txt
Status: https://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c/
Htmlized: http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-05
Diff: http://www.ietf.org/rfcdiff?url2=draft-hunt-oauth-v2-user-a4c-05
Abstract:
This specification defines a way for OAuth 2.0 clients to verify the
identity of the End-User and obtain consent based upon the
authentication performed by an Authorization Server. The
interactions defined by this specification are intentionally
compatible with the OpenID Connect protocol.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at
tools.ietf.org<http://tools.ietf.org>.
The IETF Secretariat
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
