Given a company named
X has an OAuth 2 API available for its proprietary clients and also for 3rd party clients.
When a user
P enters the process of authorizing a client, it is prompted with a window (right after authentication) showing several information (such as the application name, the scopes required, etc…) and must either click “confirm” or “cancel” to continue the process.
While having the user being able to confirm/deny authorization requests from 3rd party clients makes senses, does it still make sense to show this confirmation window for
X‘s proprietary clients?
- Is there something in the standard that forces to have this confirmation for every authorization request?
- Is there a best practice in regards of that, that everyone agrees to?