> How does the authz > server know how to partition the scopes to the multiple tokens? One > scope per token? What if an API requires multiple scopes?
An AS will generally know a fair bit about the services for which it is issuing access tokens -- at least which services require what sort of token. For situations where the client app has more knowledge than the AS on how tokens will be used, the client app could tell the AS how to partition tokens with another parameter in the user-uri (though OAuth2 doesn't necessarily have to standardise such a parameter now). -- James Manger -----Original Message----- From: Marius Scurtescu [mailto:[email protected]] Sent: Tuesday, 25 May 2010 1:52 PM To: Manger, James H Cc: Torsten Lodderstedt; OAuth WG ([email protected]) Subject: Re: [OAUTH-WG] multiple access tokens from a single authorization flow? On Mon, May 24, 2010 at 6:18 PM, Manger, James H <[email protected]> wrote: > Torsten, > > I obviously agree that supporting responses with multiple tokens is useful. > My original suggestion (application/credentials > http://www.ietf.org/mail-archive/web/oauth/current/msg01920.html) also had > multiple tokens with just one refresh_token. > > I now think it would be simpler to understand, parse, specify, and agree on > if we don't try to split fields between those that are common to all the > tokens in a response and those that are specific to one token. A JSON array > of JSON objects -- one JSON object per token -- is significantly simpler. If > some information is duplicated in two tokens that is a very minor > inefficiency (eg a few dozen extra bytes in one response). > > > > Marius, > Supporting the swapping (down-scoping) of tokens with extra calls might be > feasible, but it feels like a more complex and less flexible solution. It has > more overhead (extra round trips). It would also need extra information to > tell the client that swapping is possible, and for what > scopes/servers/schemes/... it can, should or must be done. I agree that the extra calls complicate things. How does the authz server know how to partition the scopes to the multiple tokens? One scope per token? What if an API requires multiple scopes? Marius _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
