There is a missing step in this flow that also needs to be considered, and that is how the app authenticates to the backend server.
In the Google case they are providing a JWT/id_token to the client from the token endpoint for the client to use for it’s authentication to it’s backend. It would not be a huge step to have the backend then use token exchange along with it’s credentials to exchange that for a refresh token. I can see giving out two codes and we have discussed that in the past. This topic should perhaps be added to the list of things for rechartering. There are a lot of interactions and posable security side effects that need to be looked at. John B. > On Nov 21, 2015, at 9:55 AM, nov matake <n...@matake.jp> wrote: > > Hi OAuthers, > > I’m thinking the way to issue refresh tokens both to native app and its > backend server at same time. > I have 2 ideas currently. > > 1. including 2 audience in a single authorization code, and allow using the > code once per the audience. > 2. issuing 2 code one for native app, one for backend server. > > 1st way means code can be used twice, so it can break RFC6749. > 2nd way means defining another code (ex. code_for_backend etc.) > > Does someone has implementation supporting such use-case? > > — > nov > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
