Hi! I'm curious why this is impossible. If access tokens are arbitrary handles which are generated by the authorization server and distributed to all resources, it doesn't make much difference whether one or multiple are generated and in this case it would be better to keep the load on the server rather complicating things for clients. In the scenario (as you have mentioned) where access tokens are self-contained and digitally signed, would it not be possible to generate a "super token" which contains signatures from all resources? I agree this token might be a bit lengthy, but is there any other concern?!
Regards, Lukas 2010/5/25 Torsten Lodderstedt <[email protected]>: > As I said, every service in our setup needs another access token, with > different content, signed and encrypted with another shared secret. It is > technically impossible to create the super access token. Refresh tokens are > just handles representing the user's authorization and are used by the authz > server only. They therefore can represent any scope. -- http://lukasrosenstock.net/ _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
