RFC 6749 discusses client impersonation https://datatracker.ietf.org/doc/html/rfc6749#section-10.2
> The authorization server SHOULD NOT process repeated authorization > requests automatically (without active resource owner interaction) > without authenticating the client or relying on other measures to > ensure that the repeated request comes from the original client and > not an impersonator. Does anyone know why this is only SHOULD NOT? For public clients, how about strengthening it to MUST NOT? How else can the authorization server ensure the request comes from the original client, not an impersonator? Even though RFC 8252 clarifies "This includes the case where the user has previously approved an authorization request for a given client id" https://datatracker.ietf.org/doc/html/rfc8252#section-8.6 most authorization servers that I've tested ignore this recommendation https://github.com/hickford/git-credential-oauth/issues/17 Corresponding section in draft OAuth 2.1 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-08#section-7.2 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth