Multiple resources per access token

Issue #34 open
Vladimir Prudnikov
created an issue

It seems that multiple resources per token is not allowed.

If the service has multiple resources and if client would need access to many resources it needs to create, store and use different access tokens which is very bad user experience.

Comments (3)

  1. MichałJ
    • changed status to open

    I understand your worries but Resource model you mention isn't exactly a resource you provide. This name is misleading. In my opinion this should be rather called a scope. And this is how your consumers use that - by sending scope in authorization while requesting a new Token. Furthermore scope isn't official specs stuff (take a look at issue #25) and use of Resource model is optional.

    Note that you don't need to define new Resource for each view. I think that oauth_required decorator should accept multiple resource names so you could organize your views by access levels. I will change that oauth_required behaviour.

    I think that Resource should go deprecated in next minor release and definitely renamed to Scope in next major release to avoid such misconceptions.

    I will try to clarify it in docs.

  2. Vladimir Prudnikov reporter

    Yes, this is exactly what I meant. I know that Resource is the thing that usually has name Scope. For example for Google Account scopes are Google Calendar, Gmail, Google Drive etc. But even with scopes it is better to be able to request more than one scope for a single token.

  3. MichałJ

    Ok, after some time of thinking I'm sure that you are right and client should be able to request multiple scopes. But sadly this change will require messing up with models and isn't an OAuth 1.0 stuff at all. This is why it will go to 3.0.0

  4. Log in to comment