I have two questions where I can't get my head around completely, hope someone can explain it clearly:
1: You request an access token with a valid code and the scope “access_userdata”. An access token is saved to the database with an expirydate of 10 days. Is it possible to add a new scope to the access token? Is it common? Or do you list all the scopes directly in an app to which the user has to give his/her approval? If possible, do you just look up the access token and add the new scope to it?
2: Lets’s say you have created an application which you use on your computer and tablet. First, you get an access token on your computer which is set with an expiredate of 10 days. Next day, you do the same on your tablet. Will a new access token be generated? Or will the server return the same token because you are the same user as on the computer and the token hasn’t expired yet? I suppose you can have multiple access tokens for the same user?
this is a good question =)
First off, I'm assuming that when you say you have a token, you actually have a JSON Web Token (JWT) -- is that correct? I'm going to assume so.
JWTs cannot be modified once they are signed. So no, you cannot 'modify' an existing token and just 'add' scopes into it. What you can do, however, is create a NEW JWT object, and store that in your database with the newly included scopes. If your token was given to you by a third party provider like Google or Facebook, you cannot modify those tokens yourself. Only the person who ISSUED the token can change it.
This depends on the issuer of the token. Typically, with the OAuth flow, the answer is yes: each device you log in from will get a brand new token with its own expiration date / time. It is very common to have MANY tokens for a single user.