I've been wondering about this as well and haven't seen any best-practices or
suggestions on the matter. All of our stuff is still 1.0-based since it seems
switching to 1.0a will close the door on the old way -- at least as far as how
most of the libraries seem to be implementing things.
Is
Nothing exists for this specifically in OAuth, partially because not all APIs
have a notion of a username. However, I think that it makes sense to have a
notion of per-instance metadata attached to a token. For example, if a user has
two instances of a thick client, both of those will have
Refreshing an access token is quite simple -- you call the token endpoint with
your client credentials and the refresh token as an argument. You'll get back
an access token like normal. See RFC6749 section 6 for the gritty details.
-- Justin
On Jul 31, 2013, at 5:31 AM, Baptiste