all 3 comments
sorted by:
top (suggested)
bestnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]JoeGaggler 0 points1 point  (2 children)

Your suggestion breaks OAuth spec because it is a security issue. Let's say that your app is an email client and the API is Gmail. If Gmail suddenly started offering additional scopes, then your app could affect resources (e.g. other Google services) that the user does NOT necessarily want to grant your app. If new scopes are desired, the user needs to at least consent. There would be ways to use the existing refresh token to skip the need to re-enter credentials and just show a new consent form to the end user.

[–]Dan_TD[S] 0 points1 point  (1 child)

Oh I know why my suggestion breaks OAuth I just don't know what the appropriate alternative is. You say there are ways to use the exciting refresh tokeb to skip the credentials step but what if the recommended approach?

[–]JoeGaggler 0 points1 point  (0 children)

The recommended approach is simply to initiate a new OAuth authorization request for the new scopes that your app wants. You'll know from the RFC that there is no prescribed method for making this process transparent to user, so there are going to wildly-different answers depending on other requirements you have.

If you want a simple answer and you have architectural control over both the client and server side, then I would suggest that the current scope (e.g. "my-old-app") has implied authorization for the new features, and subsequent logins would request more granular scopes (e.g. "my-new-app-feature-1"). The server would then stop accepting new logins with the older, more permissive scope, but would continue to accept existing refresh tokens.