I'm going to write an I-D for multiple access tokens. If someone else
would like to contribute, please contact me.
regards,
Torsten.
Am 17.06.2010 03:56, schrieb Eran Hammer-Lahav:
This use case seems to have some support for an extension, but enough
resistance for being added to core. I suggest those who care about
this write a proposal as an I-D.
EHL
*From:* oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On
Behalf Of *Manger, James H
*Sent:* Wednesday, June 16, 2010 6:54 PM
*To:* Breno
*Cc:* OAuth WG (oauth@ietf.org)
*Subject:* Re: [OAUTH-WG] proposal: multiple access tokens from a
single authorization flow
Breno,
> Alternative proposal. Create a new call for 'dropping privileges'
where a client can present a single refresh token and scopes and
obtain a new refresh token/access token with defined scopes provided
that these scopes were already granted to the original token.
> The advantage of a separate call is that it has less impact in
implementations because it does not modify existing flows. It is also
more flexible. For instance it would allow a client too split its
privileges into tokens with overlapping scopes for arbitrary
requirements around security and functionality of delegating its
privileges.
This alternative (dropping privileges) could work for clients that
know everything about a service: which scopes are necessary &
sufficient for each call, and that ‘dropping privileges’ is supported.
It requires lots of service-specific knowledge in the client, and/or
some reasonably sophisticated discovery (which is so far undefined,
untried, and not obvious how it should be done). A service that
*requires* dropped privileges can only reject calls that use full
tokens (and hope that hasn’t already compromised security), and hope
that clients can then discover how to drop privileges and what to drop
them to (efficiently & simply).
Returning multiple tokens, in contrast, enables a server to say use
these (“pre-dropped”) tokens at these API endpoints. No extra
discovery is required. No extra service-specific knowledge is required
of clients.
‘Dropping privileges’ is nice additional functionality, but I don’t
think it is a good alternative to returning multiple tokens.
--
James Manger
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
