Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
The need_info response doesn't say that the ticket is REQUIRED #275
Actually, this probably needs a quick bit of discussion; I took off the editorial label. Now that we've required the ticket to rotate, the original squishy wording (connected to redirect_user) that we've updated seems to suggest that we should promote the ticket property out of the optional error_details structure entirely.
Old (as of Core 2.0 rev 01 Sec 184.108.40.206): "The permission ticket that was in the client's request for authorization data. If the authorization server provides the redirect_user property, it MAY also provide the ticket property. If it is provided, the client SHOULD NOT depend on the ticket's accuracy. Note: The appearance of the permission ticket is deprecated and will be removed in a future UMA version. It is included here for backwards compatibility."
Latest (as of Core 2.0 rev 13 Sec 3.6.8): "A permission ticket that allows the client to make further requests to the authorization server during this attempted authorization. The value of this permission ticket MUST NOT be the same as the one the client used to make its request."
We can say it's REQUIRED, but the problem is that the entire error_details structure is OPTIONAL, and need_info really needs to provide a permission ticket because the client is counting on the ticket to continue the authorization process. So should the internal structure be REQUIRED ticket + OPTIONAL error_details?
Here's what the email said:
There are three problems.
Part of the question on the call was if we were allowed to put