This use case seems to have some support for an extension, but enough resistance for being added to core. I suggest those who care about this write a proposal as an I-D.
EHL From: [email protected] [mailto:[email protected]] On Behalf Of Manger, James H Sent: Wednesday, June 16, 2010 6:54 PM To: Breno Cc: OAuth WG ([email protected]) Subject: Re: [OAUTH-WG] proposal: multiple access tokens from a single authorization flow Breno, > Alternative proposal. Create a new call for 'dropping privileges' where a > client can present a single refresh token and scopes and obtain a new refresh > token/access token with defined scopes provided that these scopes were > already granted to the original token. > The advantage of a separate call is that it has less impact in > implementations because it does not modify existing flows. It is also more > flexible. For instance it would allow a client too split its privileges into > tokens with overlapping scopes for arbitrary requirements around security and > functionality of delegating its privileges. This alternative (dropping privileges) could work for clients that know everything about a service: which scopes are necessary & sufficient for each call, and that ‘dropping privileges’ is supported. It requires lots of service-specific knowledge in the client, and/or some reasonably sophisticated discovery (which is so far undefined, untried, and not obvious how it should be done). A service that requires dropped privileges can only reject calls that use full tokens (and hope that hasn’t already compromised security), and hope that clients can then discover how to drop privileges and what to drop them to (efficiently & simply). Returning multiple tokens, in contrast, enables a server to say use these (“pre-dropped”) tokens at these API endpoints. No extra discovery is required. No extra service-specific knowledge is required of clients. ‘Dropping privileges’ is nice additional functionality, but I don’t think it is a good alternative to returning multiple tokens. -- James Manger
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
