On Tue, May 4, 2010 at 10:48 AM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > Why a short lived 2.0 token? Why not provide an endpoint to exchange a 1.0 > token with a 2.0 token with a refresh token?
Yes, we thought about this use case but wasn't sure about the right implementation. If an OAuth 2.0 refresh token is issued, then most likely the OAuth 1.0 access token should be revoked. This would be more like a migration. Also, the OAuth 2.0 refresh token may need a corresponding client secret, how would the client get that: - assume this was provisioned offline - assume OAuth 2.0 client secret = OAuth 1.0 consumer secret - generate and send OAuth 2.0 client secret with the refresh token The first approach seems the right one, and the second could be a special case. I think a flag parameter is needed on the request to signal that a migration should be performed (issue OAuth 2.0 refresh token and revoke OAuth 1.0 access token) as opposed to just a short lived OAuth 2.0 access token request. Thoughts? Marius > > EHL > >> -----Original Message----- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of Marius Scurtescu >> Sent: Tuesday, May 04, 2010 10:27 AM >> To: OAuth WG >> Subject: [OAUTH-WG] OAuth 1 Bridge Flow >> >> Hi, >> >> I would like to suggest a flow, or endpoint, that is bridging OAuth 1 and >> OAuth 2. See the attachment. >> >> The OAuth 1 Bridge Flow basically defines an endpoint where you can place a >> signed OAuth 1 request and in response you receive a short lived OAuth 2.0 >> access token. This flow can be used by clients that have a long lived OAuth >> 1.0 access token and want to use a short lived OAuth 2.0 access token to >> access protected resources. >> >> Do you have a use case for a flow like this? If not exactly but close, how >> can >> the flow be improved to cover your use case as well? >> >> Feedback more than welcome. >> >> Thanks, >> Marius > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
