2

In the API we're developing, the access tokens are unique. With that I mean that there can only be one access token per application and user.

The consequence of this is that if a user authenticates the same third party desktop application on two computers, only the second will have a valid access token and the first will have to go through the authentication process again (the first access token will have been invalidated).

From a user experience perspective this is sub-optimal. From a security perspective it provides a minor benefit.

Curious to know how others have implemented access tokens in their APIs. One per user and app, or multiple?

Jon Nylander
  • 8,743
  • 5
  • 34
  • 45

1 Answers1

2

The access tokens should be unique but the relationship between [user, app] and [token] should be one to many. Whereas in your case it is one to one. It has nothing to do with OAuth as a protocol but rather your implementation detail.

Zepplock
  • 28,655
  • 4
  • 35
  • 50
  • Yes - it has to do with our implementation. Can you see any drawbacks to the one-to-many implementation? Otherwise I cannot really see why we would choose one-to-one because of minor security hang-up. – Jon Nylander May 12 '11 at 10:13
  • I think the majority of implementations use one-to-many relationship exactly for the reasons you have specified. You might want to choose one-to-one to limit number of logins by a user to one, but that sounds like application functionality and nou oauth. – Zepplock May 12 '11 at 15:40
  • To expound on this issue. Would it not be ok to serve an already valid access token, if there is one? That would simplify matters considerably. – Jon Nylander Jul 13 '11 at 09:17
  • Well it's just like using the same password on different web sites. It is probably OK but could be a security issue. – Zepplock Jul 13 '11 at 16:35
  • Hmm, I'm not sure I agree about it being the same. You would still have to go through the complete OAuth "dance" to get the already valid access token, so unless a client has been compromised and lost its consumer key and secret it should not be an issue. But I am over-theorizing I guess :) – Jon Nylander Jul 13 '11 at 21:55