My comment was not about not issuing an access token, but about the need for a refresh token *and* client authentication.
EHL > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Manger, James H > Sent: Wednesday, June 15, 2011 10:02 PM > To: OAuth WG > Subject: [OAUTH-WG] issuing multiple tokens > > Torsten Lodderstedt needs to issue multiple tokens; Igor Faynberg said +1 to > that; John Bradley identified that OpenID Connect needs to request multiple > tokens; Eran Hammer-Lahav even mentioned a no-token flow as something > that could make sense; ... > > Issuing 0, 1 or more tokens looks like an important enough feature to fix > now, instead of trying to hack it in after the spec is finalised. > > > Changing the access token response [5.1] to be a JSON array of JSON objects > (one JSON object per issued token) seems like a simple way to get this > important functionality -- with very limited overhead for services that will > only ever issue a single token, and client written just for those services. > > P.S. Does Facebook return a JSON object for its access token response (as in > draft-ietf-oauth-v2-12 that they reference), or x-www-form-urlencoded as > the example at http://developers.facebook.com/docs/authentication/ > implies [4th screen shot down]? > > -- > James Manger > > > Eran said (on a different thread): > > ...if the client can authenticate with the authorization server. Why not just > include the client identifier and user identifier and let the authorization > server lookup what the user already authorized? > > > Igor Faynberg wrote: > > +1 > > Torsten Lodderstedt wrote: > > Hi, > > > > I also see the need to request and issue multiple tokens in a single > > authorization process. There has already been some discussion about > > this topic roughly a year ago: > > - http://www.ietf.org/mail-archive/web/oauth/current/msg02688.html. > > - http://www.ietf.org/mail-archive/web/oauth/current/msg03639.html > > > > We at Deutsche Telekom have implemented an OAuth 2.0 extension > > supporting that use case. It's called "bulk authorization". > > > > Would that be an interessting topic we could discuss at IETF-81 for > > the re-chartering? I could present our approach there. > > > > regards, > > Torsten. > > > Am 10.06.2011 21:08, schrieb John Bradley: > >> We have identified the need to request multiple tokens as one issue > >> that we would have to extend. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
