Not exactly the same, but seems similar to some of the proposed logic in
https://tools.ietf.org/wg/oauth/draft-ietf-oauth-incremental-authz/
-Jared
Skype:jaredljennings
Signal:+1 816.730.9540
WhatsApp: +1 816.678.4152
On Tue, May 5, 2020 at 10:19 AM Jim Schaad wrote:
> Over in the ACE working group we are currently having a discussion about
> refreshing tokens on an RS. I want to make sure that this is not something
> that this working group has already solved. The basic scenario is:
>
> 1. Client gets token T1 and posts it to the RS
> 2. After some time the RS returns and error to the client about an access
> issue
> 3. Client gets a new token from the AS T2, possibly using a refresh token.
> 4. Client posts the token T2 to the RS
> 5. The RS somehow needs to associate token T1 and T2 for long term
> security
> sessions.
>
> I do not believe that OAuth has this issue because there is not currently
> any concept that a token is used for anything other than a single
> request/response between the client and the RS. There is no idea of the RS
> storing tokens long term associated with a TLS session that might need to
> have the access rights for that TLS session changed.
>
> Please provide any feedback that you might have.
>
> Thanks
> Jim
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
