Best practices for handling access tokens and scopes for OAuth2 implementation?

Question

Assume we have an OAuth2 implementation that supports \"read\" and \"write\" scope.

I retrieve an access token \"f482c829\" with \"read\" scope. If I then change my mind

Answer 1

In facebook's case, resource server is basically same with authorization server. So they do "use existing token" way. And it enable to allow users to disable each scopes on facebook.com site. About refresh token, you don't need to establish new refresh token. (Of course you can do it though.) Existing refresh token will also be connected with all scopes.

In Google's case (maybe Yahoo! too), resource server is totally different from authorization server. Many resource server (Docs, Buzz etc) accept access tokens established single authorization server. In this case, "establish new token" way seems better.

In Twitter's case (maybe your case too), both seems OK.

Plus, in any way, when user revoked client access you need to revoke all tokens for the client. User is not revoking "token" but "client".

Since developer should pre-register redirect_uri, using same client credentials both on website and on mobile all seems tricky. So I recommend asking developers to use different client credentials in that case.

Answer 2

Say one client (mobile) of an application needs read-only access and another client (website) needs to write as well. This would require client to be able to decide the scope of token request and hence provider to store multiple tokens with different scopes.

However, it is up to you if you want to extend the scope of an existing token. This means you can keep one scope per application. This can also make easy to revoke access of an application by a user.