[Openid-specs-ab] Issue #1070: scope approval by 2nd app in mobile SSO (OpenID Connect Native SSO for Mobile Apps 1.0) (openid/connect)

Nov Matake issues-reply at bitbucket.org
Fri Mar 15 06:56:26 UTC 2019


New issue 1070: scope approval by 2nd app in mobile SSO (OpenID Connect Native SSO for Mobile Apps 1.0)
https://bitbucket.org/openid/connect/issues/1070/scope-approval-by-2nd-app-in-mobile-sso

Nov Matake:

In the mobile SSO spec, 2nd app uses token exchange.
In that flow, there is no chance to get user approval for the specified scopes.
Is it intended?

Isn't it better for the 2nd app to do front-channel communication?

e.g.,
In the case below, do you allow "email_management" scope to the 2nd app even though the 1st app didn't get the scope?

1. A calendar app did the 1st OAuth dance w/ "calendar_managemen" scope, and saved device secret in the vendor key store.
2. A mailer app comes later and uses the device secret to get access token w/ "email_management" scope.

Responsible: gffletch


More information about the Openid-specs-ab mailing list