Yes, this is common practice. Give the user the option to remember the
decision. This is known as "trust on first use", or tofu. Our server, MITREid
Connect, implements this as do many others.
-- Justin
/ Sent from my phone /
-------- Original message --------
From: Sergey Beryozkin <sberyoz...@gmail.com>
Date: 1/18/2016 5:59 AM (GMT-05:00)
To: oauth@ietf.org
Subject: [OAUTH-WG] Can the repeated authorization of scopes be avoided ?
Hi All
The question relates to the process of showing the authorization
code/implicit flow consent screen to a user.
I'm discussing with my colleagues the possibility of avoiding asking the
same user whose session has expired and who is re-authenticating with AS
which scopes should be approved.
For example, suppose the OAuth2 client redirects a user with the
requested scope 'a'. The user signs in to AS and is shown a consent
screen asking to approve the 'a' scope. The user approves 'a' and the
flow continues.
Some time later, when the user's session has expired, the user is
redirected to AS with the same 'a' scope.
Would it be a good idea, at this point, not to show the user the consent
screen asking to approve the 'a' scope again ? For example, AS can
persist the fact that a given user has already approved 'a' for a given
client earlier, so when the user re-authenticates, AS will use this info
and will avoid showing the consent screen.
That seems to make sense, but I'm wondering, can there be some security
implications associated with it, any recommendations/advices will be welcome
Sergey
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
