Can an OAuth 2.0 access token be used to authenticate a user in another context?

Question

I want to know if it is permissible to pass a user's OAuth 2.0 access token between applications and use it as a method of logging them in.

I have an iPhone application that uses the password grant to authenticate a user, and then uses their access token for future requests. The iPhone application is also able to open up our website in a tab, and I want the user to be logged in to our website when this tab opens.

Under the OAuth 2.0 spec, is it permissible to pass that token to the web request and have the the web server authenticate and log the user in for that request?

For example, the browser might open the following location (but use a header, instead of a query string):

https://example.com/account?access_token=foo_bar

Alternatively, a dedicated endpoint for OAuth authentication and a redirect could be used.

So in effect, my question is in two parts; can an OAuth 2.0 token be shared between application contexts and can a token be used to authenticate a user in another context?

Answer 1

In the OAuth 2.0 Spec (RFC 6749), there are a couple of areas that may be relevant. Basically a client can receive an access_token that is accepted by multiple resource_servers but if the client is comprised of multiple components with different security contexts, it should register each one and use a different token:

Single token across multiple resource servers

A single authorization server may issue access tokens accepted by
multiple resource servers.

Single client with multiple components

A client may be implemented as a distributed set of components, each
with a different client type and security context (e.g., a
distributed client with both a confidential server-based component
and a public browser-based component).  If the authorization server
does not provide support for such clients or does not provide
guidance with regard to their registration, the client SHOULD
register each component as a separate client.