Clarify that per-request UIA for /login/get_token is an RFC 2119 MUST requirement (#1846)

Signed-off-by: Johannes Marbach <n0-0ne+github@mailbox.org>
3 weeks ago · 5a86e384dd
parent 1e303b3bbc
commit 5a86e384dd
2 changed files with 2 additions and 1 deletions
--- a/changelogs/client_server/newsfragments/1846.clarification
+++ b/changelogs/client_server/newsfragments/1846.clarification
@ -0,0 +1 @@
+Clarify that per-request UIA for /login/get_token is an RFC 2119 MUST requirement.
--- a/data/api/client-server/login_token.yaml
+++ b/data/api/client-server/login_token.yaml
@ -45,7 +45,7 @@ paths:
        intend to log in multiple devices must generate a token for each.

        With other User-Interactive Authentication (UIA)-supporting endpoints, servers sometimes do not re-prompt
-        for verification if the session recently passed UIA. For this endpoint, servers should always re-prompt
+        for verification if the session recently passed UIA. For this endpoint, servers MUST always re-prompt
        the user for verification to ensure explicit consent is gained for each additional client.

        Servers are encouraged to apply stricter than normal rate limiting to this endpoint, such as maximum
				`@ -0,0 +1 @@`
				`Clarify that per-request UIA for /login/get_token is an RFC 2119 MUST requirement.`