V3 - Move and update 3.2.5 #2368
Comments
|
Moving requirement was proposed and agreed during the summit. Requirement text rises some questions - why to use "or"? I think it is not "consent" or "action"? How you can achieve a consent without an action? I would use "and" or "by". |
elarlang
added
1) Discussion ongoing
|
Consent may have specific meaning in certain contexts whereas an "action" may not satisfy consent, but nevertheless conveys the user's intent (and presence). I would also be happy reformulating it to remove "consent" as in the following:
|
elarlang
added
the
4) proposal for review
This is debatable - is user presence achieved if user's browser is visiting some URL? But without user noticing it.
I would keep it in. Consent here is the abstract goal to achieve - the user knows that the application creates a new session for the user. I'm not happy about the wording from initial proposal, but I also don't know how to improve it, so I propose to go with this one:
|
I would say that presence is achieved in that scenario and that the logical |
|
User browser visiting the application != user presence. User intent is something we can not verify from the application. So it is user-interaction needed to verify the user consent. |
|
Alright, so the initial proposal is fine for now then?
I can make a PR. |
elarlang
added
6) PR awaiting review
and removed
4) proposal for review
I included it into #2373 |
At present, 3.2.5 is intended to prevent the forced creation of application sessions as could occur through an unintended interaction with an SSO system. As such, it is probably more appropriate in V3.6. I also think the wording could use an update. Ping @elarlang
Original (V3.2 Session Binding)
Proposed (V3.6 Federated Re-authentication)
Related discussion in #2120.
The text was updated successfully, but these errors were encountered: