eoger
commented
6 years ago Would this also help us build a OAuth-based (instead of sessionToken) devices system with 1 refresh token = 1 device?
Closed rfk closed 6 years ago
eoger
commented
6 years ago Would this also help us build a OAuth-based (instead of sessionToken) devices system with 1 refresh token = 1 device?
rfk
commented
6 years ago Yes, exactly :-)
shane-tomlinson
commented
6 years ago Here's the latest proposed spec: https://tools.ietf.org/html/draft-ietf-oauth-incremental-authz-00
vladikoff
commented
6 years ago @rfk @eoger do we close this for now or we need this still?
rfk
commented
6 years ago I'd like to do this one day, but it seems a ways off, we can easily file a fresh bug for it if necessary. 🗡
OAuth has a nice flow called "incremental authorization" that allows a client to request scopes on an as-needed basis, and have them added to its existing refresh_token rather juggling multiple refresh_tokens:
I think this will be useful as we build out a refresh-token-focussed client lib over in https://github.com/mozilla/application-services/issues/40