Repeated authorization requests

[aaronpk]

From RFC6749 Security Considerations

The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to
ensure that the repeated request comes from the original client and
not an impersonator.

(Vittorio) This is unclear. As it currently reads it seems to prohibit things like getting a new authz code silently via iframe (and prompt=none or equivalent UX suppressing mechanism, please ignore the ITP complications for the sake of argument).

[tlodderstedt]

I would say, the current practice is ok as long as there are alternative counter measures in place, e.g. if the AS is sure the code is only released to the legit owner of the client id because it controls the redirect URI.

[aaronpk]

In OAuth 2.0, registration of the redirect URI was not required, which is why this paragraph is in here.

Now that registration is required in OAuth 2.1, the concern of being redirected to arbitrary redirect URIs silently without user interaction is much less.