Reputation: 18895
Is it allowed per the oAuth2 specs to have multiple valid tokens per Resource Owner at the same time?
According to the oAuth2 specs, Is it allowed to have multiple valid tokens per Resource Owner at the same time?
For security considerations it seems appropriate (less exposed area for replay attacks) that only 1 active token per Resource Owner (i.e: User) is available. This would mean that when a new access token is requested for a Resource Owner the existing/old one (if exists) should be revoked.
I can't find any mention of this mechanism. Can someone clarify? Thanks.
Upvotes: 1
Views: 644
Answers (1)
Reputation: 2441
I've seen no such restriction in the standard. Having multiple tokens absolutely makes sense and may even improve security for tokens with different scopes. Consider a scenario when the client starts with some basic privileges (e.g. read-only access) and asks for elevated privileges for sensitive operations (e.g. write access). This is very similar to "run as root/admin" in linux/win systems.
Consequently, having multiple tokens with different scopes can make a system more secure if a single token is stolen.
Upvotes: 2
Related Questions
- OAuth2.0 authorization with multiple resource owner identities
- Is it possible to have multiple valid access tokens with the same client credentials?
- Can multiple bearer token supported in Authorization header
- Spring Oauth2 - multiple tokens per client id
- OAuth 2 and managing multiple user access tokens for server side
- Can a user have two valid token at a time in oauth 2.0 for auth code grant type?
- Access tokens and 2-legged OAuth2
- Multiple OAuth2 access tokens for single application?
- Via OAuth - should 3:rd party apps be able to retain multiple access tokens per resource owner?
- Examples of OAuth with multiple authorization tokens?