The refresh token represents what the resource owner authorized. The access token can be a subset of that. The current draft already supports asking for less scope than was granted. It doesn't support asking for a new refresh token with less scope.
EHL From: Breno [mailto:[email protected]] Sent: Wednesday, June 16, 2010 8:17 AM To: Eran Hammer-Lahav Cc: Torsten Lodderstedt; OAuth WG ([email protected]) Subject: Re: [OAUTH-WG] proposal: multiple access tokens from a single authorization flow Alternative proposal. Create a new call for 'dropping privileges' where a client can present a single refresh token and scopes and obtain a new refresh token/access token with defined scopes provided that these scopes were already granted to the original token. The advantage of a separate call is that it has less impact in implementations because it does not modify existing flows. It is also more flexible. For instance it would allow a client too split its privileges into tokens with overlapping scopes for arbitrary requirements around security and functionality of delegating its privileges. On Jun 11, 2010 1:12 PM, "Eran Hammer-Lahav" <[email protected]<mailto:[email protected]>> wrote: I'll let you know when I see the I-D :-) EHL > -----Original Message----- > From: Torsten Lodderstedt > [mailto:[email protected]<mailto:[email protected]>] > Sent: F...
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
