Do OAuth 2 auth scopes 'stack' upon successive grants for a user?

0
votes

For example, let's say I have two features, one requires Google Contacts and one requires Google Calendar.

Let's also say that the first feature is heavily used, such that requesting that the user authorize both auth scopes results in a significant drop off rate.

If I store an access token for a user with contacts auth scope bound, what happens when later, I request an additional auth scope calendar for that user? Do I get back a new token with only calendar scope credentials?

LiveConnect says that scopes that supersede the existing scope results in a new token with the umbrella scope and the old token gets invalidated.

1
oauth-2.0

1 Answers

1
votes

Assuming you're talking about authorization_code or implicit grant type flows, a new scope would need to be authorized by the user.

The user agent would be sent to the Authorization Server's authorization endpoint with the (now) required scopes. Required scopes should include the full set of scopes you need (old and new). The user would see the requested scopes, and then authorize them. For authorization_code grant type this results in an authorization code exchanged for a new access token representing the user's consent to the scopes. Implicit would simply return a new access token in the URL fragment. In any case, this new access token would supersede the existing one.

If you have refresh tokens involved - upon requesting a new access token with a refresh token you have the ability to dictate what scope is being requested. However that scope must be a subset of the original scope (see: OAuth 2.0 spec section 6) - extending it is not possible without user consent (assuming above flows).