-
assigned issue to
- changed status to open
Basic 3.2.3 - user's authorization decision cannot be forced
Issue #68
resolved
Section 3.2.3 states that "Authorization Server MUST obtain an authorization decision". This cannot be enforced since users cannot be forced to take action, i.e all implementations will be non-compliant when a user does not respond to the authorization question (and closes their browser, for example).
Comments (3)
-
-
In Basic, this section is just informative and not something to be implemented by the client. Thus, remove the normative language like 'MUST'.
In Messages, describe it as follows
Case no-previous login/consent => MUST attempt to show Login/Consent screen. Case prompt=login / consent => ditto Case display=none => Do not show the Login/Conset screen.
-
- changed status to resolved
fixes
#68 - Log in to comment