On Sun, May 9, 2010 at 10:40 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: >> >>>> 7. Refreshing an Access Token >> >>>> >> >>>> I would suggest to add an optional "scope" parameter to this request. >> >>>> This could be used to downgrade the scope associated with a token. >> >>> >> >>> That would be the wrong way to do it given that people will expect >> >>> to also >> >> be able to upgrade scope. >> >> >> >> Would you elaborate? Would not providing a scope parameter enable any >> >> potential change in scope to the access token? The change may be >> >> neither an upgrade or downgrade, just different. >> > >> > Downgrading scope is the only modification allowed without getting the >> end-user involved again (or using any of the flows from the beginning). >> When you refresh a token, you can ask to get a new token with less scope >> because that will not conflict with the access grant. >> >> The client could downgrade and then upgrade again later, which would not >> change the delegation granted by a user. > > I think that will cause more confusion and problems than help. I am also not > sure if there are real use cases for this limited capability.
Not sure how downgrade then upgrade would work. I think down/up grade is always relative to the scope associated with the refreshed token. The refresh token never changes, so the base scope is always the same. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
