Hi William
Thanks for the advice. FYI we are also on the way to supporting the
incremental authorization of scopes - thanks for highlighting the
importance of this process on this list...
Cheers, Sergey
On 19/01/16 03:10, William Denniss wrote:
Agree with Justin, this is pretty common. We support it for re-auth as
well as incremental auth (where the user has already approved scope "a"
and is presented with a request for scopes "a b", they will only need to
approve scope "b"). In fact if you don't do this, then incremental auth
isn't really viable.
Regarding security: don't do this for non-confidential clients where you
can't verify the identity of the app by the redirect (e.g. a localhost
redirect to an installed app).
On Mon, Jan 18, 2016 at 4:44 AM, Sergey Beryozkin <sberyoz...@gmail.com
<mailto:sberyoz...@gmail.com>> wrote:
Hi Justin, thanks for the advice,
Cheers, Sergey
On 18/01/16 11:47, Justin Richer wrote:
Yes, this is common practice. Give the user the option to
remember the
decision. This is known as "trust on first use", or tofu. Our
server,
MITREid Connect, implements this as do many others.
-- Justin
/ Sent from my phone /
-------- Original message --------
From: Sergey Beryozkin <sberyoz...@gmail.com
<mailto:sberyoz...@gmail.com>>
Date: 1/18/2016 5:59 AM (GMT-05:00)
To: oauth@ietf.org <mailto:oauth@ietf.org>
Subject: [OAUTH-WG] Can the repeated authorization of scopes be
avoided ?
Hi All
The question relates to the process of showing the authorization
code/implicit flow consent screen to a user.
I'm discussing with my colleagues the possibility of avoiding
asking the
same user whose session has expired and who is re-authenticating
with AS
which scopes should be approved.
For example, suppose the OAuth2 client redirects a user with the
requested scope 'a'. The user signs in to AS and is shown a consent
screen asking to approve the 'a' scope. The user approves 'a'
and the
flow continues.
Some time later, when the user's session has expired, the user is
redirected to AS with the same 'a' scope.
Would it be a good idea, at this point, not to show the user the
consent
screen asking to approve the 'a' scope again ? For example, AS can
persist the fact that a given user has already approved 'a' for
a given
client earlier, so when the user re-authenticates, AS will use
this info
and will avoid showing the consent screen.
That seems to make sense, but I'm wondering, can there be some
security
implications associated with it, any recommendations/advices
will be welcome
Sergey
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
