My understanding is this is ok if during authorization, the client requested at
least "foo1 bar1 foo2" or "foo1 bar1 foo2 bar2" for example. The effect of
asking for a separate token is the client has two tokens with different scopes.
"foo1 bar1" and "foo2". This is actually nice because each token has minimal
rights.
Of course nothing saying an AS can't invalidate a previous token, but nothing
saying it needs to.
Phil
@independentid
www.independentid.com
phil.h...@oracle.com
On 2013-05-16, at 3:54 PM, Asela Pathberiya wrote:
> Hi All,
>
> I want to know, what is the correct way that authorization server must act
> when same client with same resource owner is asking for an access token for
> different scopes?
> Let say.
>
> 1. Got an access token for scope "foo1, bar1"
>
> 2. Then , if same client with same resource owner asks for an access token
> for different scope "foo2"
>
> Here, Should authorization server must issue an new access token for "foo2"
> scope or else authorization server must update the scope for current access
> token in its own entries ("foo1", "bar1", "foo2") and return same access
> token?
>
> Basically is access token issued per client, resource owner and scope or else
> only per client and resource owner?
>
> I could not found much details on this in the specification. sorry if this is
> already discussed.
>
> Thanks,
> Asela
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
