Hi All,
I want to know, what is the correct way that authorization server must act
when same client with same resource owner is asking for an access token for
different scopes?
Let say.
1. Got an access token for scope "foo1, bar1"
2. Then , if same client with same resource owner asks for an access token
for different scope "foo2"
Here, Should authorization server must issue an new access token for "foo2"
scope or else authorization server must update the scope for current
access token in its own entries ("foo1", "bar1", "foo2") and return same
access token?
Basically is access token issued per client, resource owner and scope or
else only per client and resource owner?
I could not found much details on this in the specification. sorry if this
is already discussed.
Thanks,
Asela
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
