From 5a86e384dd94298764fa36d5a6b52b12ce5f9cdc Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Fri, 7 Jun 2024 10:34:34 +0200 Subject: [PATCH] Clarify that per-request UIA for /login/get_token is an RFC 2119 MUST requirement (#1846) Signed-off-by: Johannes Marbach --- changelogs/client_server/newsfragments/1846.clarification | 1 + data/api/client-server/login_token.yaml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 changelogs/client_server/newsfragments/1846.clarification diff --git a/changelogs/client_server/newsfragments/1846.clarification b/changelogs/client_server/newsfragments/1846.clarification new file mode 100644 index 000000000..6f57eb358 --- /dev/null +++ b/changelogs/client_server/newsfragments/1846.clarification @@ -0,0 +1 @@ +Clarify that per-request UIA for /login/get_token is an RFC 2119 MUST requirement. diff --git a/data/api/client-server/login_token.yaml b/data/api/client-server/login_token.yaml index a8ab12487..19fa350ee 100644 --- a/data/api/client-server/login_token.yaml +++ b/data/api/client-server/login_token.yaml @@ -45,7 +45,7 @@ paths: intend to log in multiple devices must generate a token for each. With other User-Interactive Authentication (UIA)-supporting endpoints, servers sometimes do not re-prompt - for verification if the session recently passed UIA. For this endpoint, servers should always re-prompt + for verification if the session recently passed UIA. For this endpoint, servers MUST always re-prompt the user for verification to ensure explicit consent is gained for each additional client. Servers are encouraged to apply stricter than normal rate limiting to this endpoint, such as maximum