[Openid-specs-ab] Issue #1070: scope approval by 2nd app in mobile SSO (OpenID Connect Native SSO for Mobile Apps 1.0) (openid/connect)
Nov Matake
issues-reply at bitbucket.org
Fri Mar 15 06:56:26 UTC 2019
New issue 1070: scope approval by 2nd app in mobile SSO (OpenID Connect Native SSO for Mobile Apps 1.0)
https://bitbucket.org/openid/connect/issues/1070/scope-approval-by-2nd-app-in-mobile-sso
Nov Matake:
In the mobile SSO spec, 2nd app uses token exchange.
In that flow, there is no chance to get user approval for the specified scopes.
Is it intended?
Isn't it better for the 2nd app to do front-channel communication?
e.g.,
In the case below, do you allow "email_management" scope to the 2nd app even though the 1st app didn't get the scope?
1. A calendar app did the 1st OAuth dance w/ "calendar_managemen" scope, and saved device secret in the vendor key store.
2. A mailer app comes later and uses the device secret to get access token w/ "email_management" scope.
Responsible: gffletch
More information about the Openid-specs-ab
mailing list