The Authentication of end-users by an AS is currently not required

[Denisthemalice]

Extract from the Introduction on page 5 of draft-08:

This protocol allows a piece of software, the client instance, to request delegated authorization to resource servers and to request direct information. (…) The end-user operating the software may interact with the authorization server to authenticate, provide consent, and authorize the request.

Hence, the authentication of end-users by an AS is not required. Does it mean that the authentication of the "piece of software" used by an end-user SHALL be mandatory ? If so, how this "piece of software" should associated with end-user is left undefined.

Considerations about an end-user for changing that "piece of software" or using several pieces of software at the same instant of time are not mentioned.

How an AS may associate some rights or attributes with an end-user is left undefined.

Note that the EU Payments Services Directive (PSD2) mandates the use of MFA (Multi Factor Authentication) with the AS.

Why a strong authentication of end-users by an AS would not be sufficient, hence avoiding the authentication of "pieces of software" ?

[fimbault]

Closing as already answered several times