I have web application for issuing tokens to clients (OAuth2), where implimented authorization сode grant type. At the moment, each time the client requests (applications), wishing to receive a token to use resource api on behalf of one user - the new token is given and the old token is no longer valid (regardless of which device the request was made).
What I want. Add the possibility of issuing different tokens for the same customer who wants to get access to the resource api on behalf of the same user, but generating a request with different devices.
Example. Installed on a home computer application "ClientApp" wants to get a token to access the web service "PhotoService" from the user name "Max". To do this, the application "ClientApp" refers to authorization service "OAuth2Service" for the token, which will continue to refer to "PhotoService". As a result, "ClientApp" receives a token. When installed on work computer, the app "ClientApp" trying to get a token from the "OAuth2Service" then he should be given a new token, while the old token is received while using a home computer must remain valid. That is, the token must be attached to the device from which the request was made, the client (client_id) and the user on whose behalf the client will use resource api. For the same device, the same customer, the same user must return a new token, and the old should not be valid.
How to distinguish the device from which the request was made?
There are reasons that I can use User-Agent of the header (example: Mozilla / 5.0 (Windows NT 6.1; WOW64; rv: 41.0) Gecko / 20100101 Firefox / 41.0), but on different devices can be installed the same version browser, OS. Besides the parameter User-Agent can not be while requesting to the authorization service.
Way # 2 - transfer the description of the device in http parameter. Earlier I didn't meet such implementation. For this reason, this approach is questionable.
For implementation OAuth2 applications using Apache Oltu.
