On Tue, Apr 6, 2010 at 11:07 PM, Eran Hammer-Lahav <e...@hueniverse.com>wrote:
> > > > On 4/6/10 5:24 PM, "Evan Gilbert" <uid...@google.com> wrote: > > > Proposal: > > In 2.4.1 & 2.4.2, add the following OPTIONAL parameter > > username > > The resource owner's username. The authorization server MUST only send > back > > refresh tokens or access tokens for the user identified by username. > > What are the security implications? How can the client know that the token > it got is really for that user? > Think the client has to trust the auth server, in the same way as with the username + password profile. The auth server can always send back a scope for a different user. Worst case is that there is an identity mismatch between client and the identity implicit in the authorization token. This mismatch is already possible, and I don't think the username parameter makes the problem worse. > EHL > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
