Changes between Version 39 and Version 40 of API_security


Ignore:
Timestamp:
08/15/2012 01:20:07 AM (10 months ago)
Author:
jbe
Comment:

Removed 'duration' and added 'single token'

Legend:

Unmodified
Added
Removed
Modified

  • API_security

    v39 v40  
    3636Applications running in the users web-browser (i.e. JavaScript applications) and non-interactive read-only API consumers are exempted from this refresh. Applications running in the users web-browser can't get long term access at all, but will require the user to authorize the application for every session. Non-interactive read-only API consumers refresh their access token by sending their client credentials. 
    3737 
    38 == Multiple authorizations per member for a single client == 
     38== Optional invalidation of previously issued refresh tokens == 
    3939 
    40 When authorizing a client, the user shall see any previously issued long-term authorizations for that client, which are still active. Any previous long-term authorization shall be revoked by default, thus invalidating previously issued refresh tokens for that client, unless the user explicitly agrees to a duplicate authorization (e.g. for multiple native clients on different smartphones). For manually registered clients, the behaviour regarding previously issued authorizations may be configured (field {{{code_grant_multiple}}} in table {{{api_client}}}), thus avoiding an interactive decision by the user. 
     40In case of using the OAuth authorization code grant, the API consumer may request to automatically invalidate previously issued refresh tokens to increase security, if only one refresh token per member is needed at a time. Do do this, the parameter 'single_token' can be set to true, when exchanging the authorization code for the access and refresh token. 
    4141 
    4242[[BR]] 
     
    5151 
    5252 //scope// (string) The requested [[API#Accesslevels|access level]] (mandatory) 
    53  
    54  //duration// (integer) How many seconds the OAuth authorization should be valid, 0 for infinity (optional) 
    5553 
    5654 //state// (string) Passed value, which will be send back to the API consumer redirection endpoint, to be used for Cross Site Request Forgery protection (optional) 
     
    7068 
    7169 //grant_type// (string) Always set to "authorization_code" (mandatory) 
     70 
     71 //single_token// (boolean) Set to true, if only one refresh token for a member is needed at a time. 
    7272 
    7373 //client_id// (string) Set to the redirection endpoint URI of the API consumer (mandatory)