Re: [OAUTH-WG] Access token must be differ based on the scope?
Prabath Siriwardena <prabath@wso2.com> Fri, 17 May 2013 01:21 UTC
Return-Path: <prabath@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1DFA11E80D9 for <oauth@ietfa.amsl.com>; Thu, 16 May 2013 18:21:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HEkTWO1tsdzd for <oauth@ietfa.amsl.com>; Thu, 16 May 2013 18:21:42 -0700 (PDT)
Received: from mail-ea0-x22a.google.com (mail-ea0-x22a.google.com [IPv6:2a00:1450:4013:c01::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 8F7A311E80D3 for <oauth@ietf.org>; Thu, 16 May 2013 18:21:41 -0700 (PDT)
Received: by mail-ea0-f170.google.com with SMTP id f15so2095374eak.1 for <oauth@ietf.org>; Thu, 16 May 2013 18:21:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=lEgZFBVEMAMWcJajO01YcEWsokUEA50SGZGzDuvV5nw=; b=QKzjSStCuu1XtkMbRCl4LiowegsfC78nMZE09yCBI6hvXCHUpJHctvI3l5K29MWicO 0CAwsoIEs+m4Uc8Hvys8D5BsMklXNPP4RIH6PNYzz8CEG3wZxyP60oI4jxA3fGOwHYev 1mGSeTz3TgzdTM4OKuw0uOr+a4G/Cn54h49l0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=lEgZFBVEMAMWcJajO01YcEWsokUEA50SGZGzDuvV5nw=; b=RKF1zSYCKRotFjN+YMZeqMUFhGvx65d+89X+qPKOdzV9xRY6EPbBgZL1TBC62fobna 24RaZMCc47Cvthxa9qEqyV6mAATAa9uzBrR5tfaSt0ySv07aJDxJW9+VH6axVovsToZl x92fULnNG0V0VblhJq5+Aslk/5Yeu3KSRJNXEMSJ0iBCYhogAATxU4BWCXYnjbopSCk4 YuXOjKoowaMz52Jr/Ym30yIXITvx424N759tW/g15rnYiRemb61whtq4YYm0nQxeDuFq Mx0YwqYiW9zoEnKUN0eMQyY4lbmQsy1J0sq7BWhHZam0WLYkSJuUSeBHpEMY94dUfWAA /BWQ==
MIME-Version: 1.0
X-Received: by 10.15.94.131 with SMTP id bb3mr71466832eeb.20.1368753700470; Thu, 16 May 2013 18:21:40 -0700 (PDT)
Received: by 10.223.153.130 with HTTP; Thu, 16 May 2013 18:21:40 -0700 (PDT)
In-Reply-To: <D2E13C5F-6CC1-45A1-891A-F612A94D0A5A@oracle.com>
References: <CAKfK-ypheXcp9Go92Z0Vzs8TvWGQujcKcCs3X64X9xy-bjc7vQ@mail.gmail.com> <D2E13C5F-6CC1-45A1-891A-F612A94D0A5A@oracle.com>
Date: Fri, 17 May 2013 06:51:40 +0530
Message-ID: <CAJV9qO_gKwz2pppLmN-R99BdJx+MEoz4+Ci0eo4GpK11J3-Cgw@mail.gmail.com>
From: Prabath Siriwardena <prabath@wso2.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="089e01634f761a378904dcdfcec1"
X-Gm-Message-State: ALoCoQlSasOKA9gznEbG5Ealu+8XCfU4A0dIif0frMcEGH1JIjx53SqHecpQFEUQVujiLS5o76uP
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Access token must be differ based on the scope?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 May 2013 01:21:42 -0000
Yes. If its a new grant asking an access token with a new scope - then we need to give a new acces token. Thanks & regards, -Prabath On Fri, May 17, 2013 at 6:13 AM, Phil Hunt <phil.hunt@oracle.com> wrote: > My understanding is this is ok if during authorization, the client > requested at least "foo1 bar1 foo2" or "foo1 bar1 foo2 bar2" for example. > The effect of asking for a separate token is the client has two tokens > with different scopes. "foo1 bar1" and "foo2". This is actually nice > because each token has minimal rights. > > Of course nothing saying an AS can't invalidate a previous token, but > nothing saying it needs to. > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > > > > > > On 2013-05-16, at 3:54 PM, Asela Pathberiya wrote: > > > Hi All, > > > > I want to know, what is the correct way that authorization server must > act when same client with same resource owner is asking for an access token > for different scopes? > > Let say. > > > > 1. Got an access token for scope "foo1, bar1" > > > > 2. Then , if same client with same resource owner asks for an access > token for different scope "foo2" > > > > Here, Should authorization server must issue an new access token for > "foo2" scope or else authorization server must update the scope for > current access token in its own entries ("foo1", "bar1", "foo2") and return > same access token? > > > > Basically is access token issued per client, resource owner and scope or > else only per client and resource owner? > > > > I could not found much details on this in the specification. sorry if > this is already discussed. > > > > Thanks, > > Asela > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
- [OAUTH-WG] Access token must be differ based on t… Asela Pathberiya
- [OAUTH-WG] Access token must be differ based on t… Asela Pathberiya
- Re: [OAUTH-WG] Access token must be differ based … Phil Hunt
- Re: [OAUTH-WG] Access token must be differ based … Prabath Siriwardena