re-authorization vs. re-authentication #116
Comments
|
Can you clarify if you mean it should be re-authentication or re-authorization? The text suggest you prefer re-authentication, but your recommendation is for re-authorization. |
|
I think that what's necessary is re-authorization, but in order to re-authorize the user, they must be re-authenticated. So my preference is to change the text to re-authentication. |
|
Ok, that is different from your proposal in the issue
|
|
+1 |
|
Yes I agree these should be "re-authentication". The goal is to leverage the existing step-up spec RFC9470, which has this language: https://www.rfc-editor.org/rfc/rfc9470#section-3
Yes we are talking about user authentication here. I am not actually sure how those two sentences in 3.2 and 3.3 turned in to "re-authorization". The user is not being authorized, the application is, and these sections are talking about the user. So "re-authentication" is correct. |
Yes, I had an error in the original issue. I updated the text in the issue to align with what I intended. Good catch! |
|
Thanks for the clarification Dean. I agree it should read re-authentication. |
|
I filed a PR #132. |
Sections 3.2 and 3.3 both use the language “re-authorization of the user is required” when the AS responds with an error to presentation of a refresh token (3.2) or the RS requires step up per RFC9470 (3.3). In both of these cases, re-authorization is required, however, I believe that the requirement is actually re-authentication of the user in order to re-authorize them.
I suggest changing both instances to re-authentication. (Edited to change re-authorization to re-authentication in this sentence.)
The text was updated successfully, but these errors were encountered: