I have a use case where I would like to request both an access token and a refresh token, but I would like the access token to have a scope less than that of the refresh token. It is standard OAuth behavior for using the refresh token to request additional access tokens (of equal or lesser scope) but the first access token that comes back always has the "master scope" of the refresh token.
For various security concerns, I always want my access tokens to be of a stricter scope that the refresh token. For example, consider the scenario of a structured (JWT) access token that does not require the RS to call back to the AS introspection endpoint. Following typical OAuth guidance, it is best practice to use short lived access tokens with long lived refresh tokens. But I'd rather a compromised access token not compromise access to ALL my resource servers. Using the existing standard I could simply destroy the first access token when it is received and then request another of lesser scope using the refresh token, but now I've just wasted a round trip over the air, consuming bandwidth and adding latency to the end user experience. Is there anybody in the working group that feels this would be valuable? adam
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
