On Tue, Apr 14, 2015 at 4:57 PM, Andy McKay <[email protected]> wrote: > > We'll probably want to provide some sort of "token narrowing" API to > enable this in a more secure fashion. > > If for example, Mozilla Concrete has a token with scope > "profile+payments+SuperSecretOtherThing", then it doesn't want to pass > that token directly to other services. Instead, it could call some API > on the oauth server to generate a fresh subsidiary token with only > "payments" scope, and pass that token to the payments service.” > > I'm working on adding "refresh tokens" to OAuth this week. If you haven't read in the OAuth2 spec about them, basically you'd get a refresh_token that would be used to fetch short lived access_tokens (instead of the forever-living ones now). You can optionally specify scope and ttl of this access_token. So you could basically do `POST /v1/token?scope=payments&ttl=60` to get a payment token for 60 seconds, and pass that one...
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
