[Openid-specs-fapi] Issue #452: When the user being authenticated is different from the user of the grant (openid/fapi)
Takahiko Kawasaki
issues-reply at bitbucket.org
Sat Oct 9 13:55:14 UTC 2021
New issue 452: When the user being authenticated is different from the user of the grant
https://bitbucket.org/openid/fapi/issues/452/when-the-user-being-authenticated-is
Takahiko Kawasaki:
As a grant represents privileges given to a client by a user, a grant specified by the `grant_id` request parameter is associated with a user. How should an authorization server behave when the user being authenticated is different from the user of the grant? Examples of possible actions are as follows.
1. Force the user to login as the user of the grant \(and return an error if the user fails to login\).
2. Ignore the `grant_id` and `grant_management_action` \(whose value is either `replace` or `update`\) request parameters \(and not perform grant management\). In other words, perform grant management only when the authenticated user is identical to the user of the grant.
Or, should the decision be left to authorization server implementations?
More information about the Openid-specs-fapi
mailing list