More details on this enhancement. Goal: Make sure you get an access token for the right user in immediate mode.
Use case where we have problems if we don't have username parameter: 1. Bob is logged into a web site as b...@idp.com. 2. Mary (his wife) is logged into IDP on the same computer as m...@idp.com 3. A request is made to get an access token via the User-Agent flow in immediate mode (or with any redirect without prompting the user) 4. -ob now has an access token for Mary and (posts activities, schedules events, gets contacts) as Mary 5. Hilarity ensues Secondary goal: Provide a hint for non-immediate mode On Thu, Apr 15, 2010 at 11:55 AM, Eran Hammer-Lahav <e...@hueniverse.com>wrote: > Evan Gilbert proposed a 'username' request parameter to allow the client to > limit the end user to authenticate using the provided authorization server > identifier. The proposal has not been discussed or supported by others, and > has not received a security review. > > Proposal: Obtain further discussion and support from others, as well as a > security review of the proposal. Otherwise, do nothing. > > EHL > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth