aaronpk / oauth-first-party-apps

https://datatracker.ietf.org/doc/html/draft-parecki-oauth-first-party-apps
Other
10 stars 8 forks source link

Better name for "device session" #27

Closed aaronpk closed 10 months ago

aaronpk commented 1 year ago

"Device session" is too overloaded of a term, and we might need something more specifically scoped to this spec. For example authorization_challenge_request_transaction or auth_req_txn or something. The point is to make sure it's clear that this identifier is for this specific authorization challenge sequence, but not necessarily as permanent as what you might think of as a device's session.

For example, CIBA has auth_req_id https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.7.3

gffletch commented 1 year ago

Can we just use auth_req_id from CIBA? That at least keeps the same meaning for the same parameter name. Or are the semantics slightly different such that we need to define something specific for this flow?

aaronpk commented 10 months ago

Based on the discussion in #35, we'll call this auth_session, along with the following: