We're looking at using the rescope operation to support redelegation, and in this we wouldn't want to give the second client a refresh token of their own, just an access token that is good for a subset of scopes attached to the original refresh/access combination that the user authorized. I'm not seeing a use case for asking for a new refresh token using an existing refresh token as auth, though. Could you elaborate what this might be?
-- Justin On Wed, 2010-06-16 at 11:32 -0400, Eran Hammer-Lahav wrote: > The refresh token represents what the resource owner authorized. The > access token can be a subset of that. The current draft already > supports asking for less scope than was granted. It doesn’t support > asking for a new refresh token with less scope. > > > > EHL > > > > From: Breno [mailto:breno.demedei...@gmail.com] > Sent: Wednesday, June 16, 2010 8:17 AM > To: Eran Hammer-Lahav > Cc: Torsten Lodderstedt; OAuth WG (oauth@ietf.org) > Subject: Re: [OAUTH-WG] proposal: multiple access tokens from a single > authorization flow > > > > Alternative proposal. Create a new call for 'dropping privileges' > where a client can present a single refresh token and scopes and > obtain a new refresh token/access token with defined scopes provided > that these scopes were already granted to the original token. > > The advantage of a separate call is that it has less impact in > implementations because it does not modify existing flows. It is also > more flexible. For instance it would allow a client too split its > privileges into tokens with overlapping scopes for arbitrary > requirements around security and functionality of delegating its > privileges. > > On Jun 11, 2010 1:12 PM, "Eran Hammer-Lahav" > <e...@hueniverse.com> wrote: > > I'll let you know when I see the I-D :-) > > EHL > > > > -----Original Message----- > > From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] > > Sent: F... > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
