Hi Dick, "Could you not make all three calls in parallel, and then you get the access token that you want right away with no latency?"
Yes but it's the response time for bootstrapping the first request that is my concern. It takes a total of 4 round trips to obtain the first down-scoped access_token (three OAuth trips + one primary authentication to the AS). I'm really hoping more folks chime in with some interest on this one. The security thought process behind the refresh token is sound, and I think more people will begin to adopt it. We've got Salesforce as probably the largest enterprise using it, we've got people looking at OAuth for public safety / first responder use cases (myself), and we have FICAM profiling it as well. I think this is just the beginning. Just my 2 cents, it's free :) adam From: Dick Hardt [mailto:[email protected]] Sent: Wednesday, October 31, 2012 4:07 PM To: Lewis Adam-CAL022 Cc: [email protected] WG Subject: Re: [OAUTH-WG] access tokens & refresh tokens of different scopes On Oct 31, 2012, at 1:29 PM, Lewis Adam-CAL022 <[email protected]<mailto:[email protected]>> wrote: Hi Dick, Totally agree about keeping things simple :) I'll be the first to admit that many of my use cases are edge cases, but I was sort of hoping that "this one" might find some common mindshare within the community. Maybe it is just Google using refresh tokens today on the social web, but I think we all know that OAuth is going to have life well beyond the social web. Whether that's good or bad has of course been the foundation of so much of the recent "entertainment" in the OAuth blogsphere :) FYI: A design goal of WRAP, and hence OAuth 2.0 was to support a number of enterprise use cases. I expect people will use it in ways not imagined, which *may* require additions. I point out the non refresh token implementations to highlight that numerous implementors have not felt the added security is worth the extra client developer overhead in case you felt that it was a requirement. If I can't find anybody else in the community to agree that what I propose is useful, then I'll cry uncle and let it rest. It will be interesting to see if others have the same use case. Btw, in response to your question "why not have 3 different calls to the AS so that there are separate refresh tokens for each RS? " ... it all comes down to end user experience / latency. Could you not make all three calls in parallel, and then you get the access token that you want right away with no latency?
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
