OAuth2.0 authorization with multiple resource owner identities

Question

This question is about the interpretation of OAuth2.0 framework RFC 6749 §3.1 specifically the phrase:

The authorization server MUST first verify the identity of the resource owner. The way in which the authorization server authenticates the resource owner (e.g., username and password login, session cookies) is beyond the scope of this specification.

What does "verify the identity" mean in this context?

1. Authorization server MUST ensure that a resource owner is authenticated
2. The above AND the authorization server MUST ensure that the intended identity is being used, e.g. by always prompting the user to acknowledge or select the intended identity.

Interpretation 1 may lead to the following undesired effects: In cases where a resource owner has multiple accounts with the same authorization server and the authorization server is using some persistent login session, a user that is performing authorization with multiple accounts may unintentionally perform authorization with only the first account, unless taking measures to terminate any previous login session.

It seems that some OAuth2.0 authorization servers are adhering to interpretation 2 (notably Google) but that may just be because they have special use cases that calls for this.

Answer 1

RFC 6749 does not define the answer your question for the very reason that it defines identity verification as out of scope. All accounts are about the same user and verification should happen for each of them anyhow. The exact behaviour in dealing with multiple accounts at the same Authorization Server is left to the interpretation/implementation of the Authorization Server. Common sense would indeed suggest that interpretation 2. makes most sense and avoids inadvertent login with the "wrong" account and does not make the user restart their browser to switch accounts. But your mileage may vary because that behaviour is not dictated by the spec.