jcoglan
commented
10 years ago As detailed in #37, we'd need to implement either:
- Store tokens in plaintext instead of hashes so they can be reissued
- Multiple stored tokens and some expiry/invalidation mechanism for them
- Self-contained encrypted tokens
All of these have security and implementation problems. I tried to implement the 3rd option a while ago but found the amount of work involved was not worth it for our use case.
The current situation is that users must re-authenticate if they switch devices.
lloydmeta
I've noticed that the access_token changes on subsequent requests to authorize an client for a given user results in overwriting the old access_token.
From what I gather from this post, this is a result of a gap in the spec.
What is the recommended approach to handling a situation where we expect users to use the same client from multiple devices?
Thanks a lot in advance.