On May 5, 2010, at 7:09 AM, Foiles, Doug wrote: > I would expect our OAuth 1.0 services to have support for OAuth 1.0 and 2.0 > for some period. I don't think we could expect all our clients to move to > OAuth 2.0 at once. This is an interesting idea that allows clients to be > able to cut over to OAuth 2.0 without users having to > re-authenticate/authorize. > > Why not just transfer the remaining session lifetime to the new access token > (or refresh token if requested). I would expect the scope to be transferred > as well. I would want our users to authorize any extended period. >
Yeah. Facebook's access tokens are literally just wrapping the old session tokens, so the access token preserves all the original properties. I expect many services that upgrade will likely use a similar approach. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
