Hi Jerome, you raise a good and important point.
A core part of the OAuth specification is to obtain the consent of the resource owner. If you look at Section 1.3 of http://tools.ietf.org/html/draft-ietf-oauth-v2-31 you see the different authorization grants that are supported. Except for the client credential authorization grant every other grant type requires a protocol exchange to obtain the permission from the resource owner. The threats document discusses the importance of the consent mechanism in more detail. However, the actual screen (and the importance of the UI representation) is not standardized. Most standardization organizations do not standardize the look-and-feel of the actual permission screen. Having said that I believe it is a very important aspect of every identity management protocol and there is research available. Maybe someone should put a page with a few links together to illustrate the current state of the art and the best current practice. Ciao Hannes On Aug 3, 2012, at 12:07 AM, Jérôme LELEU wrote: > Hi, > > In the OAuth 2.0 spec, I don't see any mention of the "Allow / disallow" > screen (just after the user is logged in). However, most of the OAuth > providers I know (Facebook, Google, Twitter...) have such a "allow / > disallow" screen. > > Did I miss something in the spec ? > > What are the security concerns about not having such "Allow / disallow" > screen ? > > Thanks. > Best regards, > Jérôme > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
