Hi Jérôme, I am one of those non-consumer use cases where explicit consent is not part of our envisioned OAuth flow. The resource servers that we create and sell to our customers are owned by the customer's IT department, so when a user (employee) authenticates to the AS, it is the enterprise policy rules that determine whether or not the user is authorized to obtain an access-token or not. The confusion is that in classic OAuth the end-user and resource owner are often the same, but in other cases (including mine) this is not the case. Hope that helps.
-adam From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Paul Madsen Sent: Tuesday, August 07, 2012 8:07 AM To: Jérôme LELEU Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Is "Allow / disallow" screen mandatory ? there are legitimate (non consumer centric) applications of OAuth where such explicit consent gathering is not necessary On 8/3/12 9:23 AM, Jérôme LELEU wrote: Said like that, I feel totally stupid... but it's not totally without their consent, they previously clicked on the "Authenticate at the OAuth provider" link... I understand that it's mandatory. Thanks, Jérôme 2012/8/3 Doug Tangren <d.tang...@gmail.com<mailto:d.tang...@gmail.com>> What are the security concerns about not having such "Allow / disallow" screen ? Obtaining access to a user's data without their consent? _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
