Overview#OAuth 2.0 Incremental Authorization is part of the concept of Principle of least privilege where as an entity is only granted privileges required.
OAuth 2.0 Incremental Authorization is an Expired Internet Draft https://tools.ietf.org/id/draft-wdenniss-oauth-incremental-auth-00.html
OAuth 2.0 authorization requests that include every scope the client might ever need can result in over-scoped authorization and a sub-optimal Resource Owner consent User Experience. This specification enhances the OAuth 2.0 authorization protocol by adding Incremental authorization, the ability to request specific authorization OAuth Scopes as needed, when they're needed, removing the requirement to request every possible OAuth Scopes that might be needed upfront.
When the same entity accesses a new resource which requires additional privileges, they are then evaluated and if desired "added" without the entity without the entity starting over in the Authorization process.
There is an Internet Draft for OAuth 2.0 Incremental Authorization available at OAuth 2.0 Incremental Authorization and defines a new parameter include_granted_scopes to to be part of the Authorization Request.Google refers to OAuth 2.0 Incremental Authorization in reference to OAuth 2.0 as you complete the normal flow for requesting an access_token but make sure that the Authorization Request includes previously granted scopes. This approach allows your application to avoid having to manage multiple access_tokens.
The following rules apply to an access_tokens obtained from an OAuth 2.0 Incremental Authorization:
- The access_token can be used to access resources corresponding to any of the OAuth Scopes rolled into the new, combined authorization.
- When you use the refresh_token for the combined authorization to obtain an access_token, the access_token represents the combined authorization and can be used for any of its OAuth Scopes.
- If you revoke a token that represents a combined authorization, access to all of that authorization's OAuth Scopes on behalf of the associated user are revoked simultaneously.
We assume that the OAuth 2.0 Incremental Authorization could also work if the OAuth 2.0 Incremental Authorization also required a Higher level of Authorization as might be encountered with a Authorization Request that included a new amr_values.