On Mon, Jul 21, 2014 at 11:52 PM, Mike Jones <michael.jo...@microsoft.com> wrote:
> Thanks for your review, Thomas. The “prompt=consent” definition being > missing is an editorial error. It should be: > > > > consent > > The Authorization Server SHOULD prompt the End-User for consent before > returning information to the Client. If it cannot obtain consent, it MUST > return an error, typically consent_required. > > > > I’ll plan to add it in the next draft. > It looks like the consent_required error needs to be defined too, and you might have forgotten to also import account_selection_required from OpenID Connect. > > > I agree that there’s no difference between a response with multiple “amr” > values that includes “mfa” and one that doesn’t. Unless a clear use case > for why “mfa” is needed can be identified, we can delete it in the next > draft. > Thanks. How about "pwd" then? I fully understand that I should return "pwd" if the user authenticated using a password, but what "the service if a client secret is used" means in the definition for the "pwd" value? (Nota: I know you're at IETF-90, I'm ready to wait 'til you come back ;-) ) -- Thomas Broyer /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
