OAuth 2.0 Incremental Authorization is part of the concept of Principle of least privilege where as an entity is only granted privileges required.

When the same entity accesses a new resource which requires additional privileges, they are then evaluated and if desired "added" without the entity without the entity starting over in the Authorization process.

OAuth 2.0 Incremental Authorization may require additional level of Authentication or Authorization to be granted access to the resource.

There is an Internet Draft for OAuth 2.0 Incremental Authorization available at OAuth 2.0 Incremental Authorization and defines a new parameter include_granted_scopes to to be part of the Authorization Request.

OAuth 2.0 Incremental Authorization and Google#

Google refers to OAuth 2.0 Incremental Authorization in reference to OAuth 2.0 as you complete the normal flow for requesting an access_token but make sure that the Authorization Request includes previously granted scopes. This approach allows your application to avoid having to manage multiple access_tokens.

The following rules apply to an access_tokens obtained from an OAuth 2.0 Incremental Authorization:

The combined authorization includes all scopes that the user granted to the API project even if the grants were requested from different clients. For example, if a user granted access to one OAuth Scopes using an application's desktop client and then granted another OAuth Scopes to the same application via a mobile Device, the combined authorization would include both scopes.

We assume that the OAuth 2.0 Incremental Authorization could also work if the OAuth 2.0 Incremental Authorization also required a Higher level of Authorization as might be encountered with a Authorization Request that included a new amr_values.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-12) was last changed on 14-Jul-2017 20:29 by jim