jricher
commented
2 years ago Related to #22
Closed pq2 closed 2 years ago
jricher
commented
2 years ago Related to #22
jricher
commented
2 years ago This is more of a security consideration, so we will remove the normative requirements here and have a wider discussion about the different combinations and deployments and what these all mean for making sure the user is "there" in the different circumstances.
Section 2.5.2.1 states that
the client instance MUST ensure the end-user is present on the requestwhen using the redirect interaction finish mode.Perhaps this could be elaborated a bit further. I assume this means that if the redirect interaction start mode is used together with the redirect interaction finish mode, the client instance must validate session information as mentioned in Appendix D.1, e.g. using a session identifier that is sent as a cookie. But how should the wording in Section 2.5.2.1 be interpreted if a different interaction start mode is used? When using the user code interaction start mode, for example, the interaction normally takes place on a different device, so cookies cannot be used for this validation.