The authorization server SHOULD enforce explicit resource owner authentication and provide the resource owner with information about the client and the requested authorization scope and lifetime. It is up to the resource owner to review the information in the context of the current client and to authorize or deny the request.
What does this mean in practice?
Is it a full credential prompt regardless of whether one session already exists?
A selection between existing sessions, if present?
From RFC6749 Security Considerations
What does this mean in practice?