jcoglan
commented
12 years ago This is undefined in the spec, and a behaviour this library does not support. We've considered it, but it's never been a big enough problem for us.
There's a couple of ways you could fix it: either introduce a new Token object such that Authorization.has_many :tokens, or switch to self-contained encrypted tokens, using randomized authenticated encryption.
swishstache
I don't see this addressed in the draft (10 or later versions). This is the only reference I can find on the issue: http://tools.ietf.org/html/draft-richer-oauth-instance-00
Let's say I have some browser add-on installed on my laptop and that same add-on installed on my desktop. If I go through a user agent flow on my desktop to get a token.
http://local/oauth2/authorize?client_id=b06jrfu82u3adi9ludzfnb1ik&redirect_uri=http://www.clientsite.org/q&scope=read create&response_type=token
Everything is fine. But when I do the same flow on my laptop, the access token my desktop has is now replaced.
Is there something additional I'm missing or is this a failing in the draft (10)?