Give guidance that enforcement of same device use of the protocol is something the authorization server should do, in addition to a design time constraint.
From Roy Williams:
1) At the end of section (5) there is a paragraph that talks about limiting Cross-device protocols on the same device. It does not seem to be something that a client could\would know about when let’s say YouTube TV requests auth and it ends up on Authenticator on the same device. In theory this would then be the Authenticator Service’s Job to determine this situation and respond with a well known pattern to drive the client to engage in a local oath call directly to authenticator.
Give guidance that enforcement of same device use of the protocol is something the authorization server should do, in addition to a design time constraint.
From Roy Williams:
1) At the end of section (5) there is a paragraph that talks about limiting Cross-device protocols on the same device. It does not seem to be something that a client could\would know about when let’s say YouTube TV requests auth and it ends up on Authenticator on the same device. In theory this would then be the Authenticator Service’s Job to determine this situation and respond with a well known pattern to drive the client to engage in a local oath call directly to authenticator.
Full feedback here: https://mailarchive.ietf.org/arch/msg/oauth/wC0iOyc9bPxcvv8OmnAt0EcKw6I/