On Mon, May 24, 2010 at 6:18 PM, Manger, James H <[email protected]> wrote: > Torsten, > > I obviously agree that supporting responses with multiple tokens is useful. > My original suggestion (application/credentials > http://www.ietf.org/mail-archive/web/oauth/current/msg01920.html) also had > multiple tokens with just one refresh_token. > > I now think it would be simpler to understand, parse, specify, and agree on > if we don't try to split fields between those that are common to all the > tokens in a response and those that are specific to one token. A JSON array > of JSON objects -- one JSON object per token -- is significantly simpler. If > some information is duplicated in two tokens that is a very minor > inefficiency (eg a few dozen extra bytes in one response). > > > > Marius, > Supporting the swapping (down-scoping) of tokens with extra calls might be > feasible, but it feels like a more complex and less flexible solution. It has > more overhead (extra round trips). It would also need extra information to > tell the client that swapping is possible, and for what > scopes/servers/schemes/... it can, should or must be done.
I agree that the extra calls complicate things. How does the authz server know how to partition the scopes to the multiple tokens? One scope per token? What if an API requires multiple scopes? Marius _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
