Can a user have two valid token at a time in oauth 2.0 for auth code grant type?

Question

*I have simple question related to oauth token ,so my requirement is that user can have multiple scopes say A and B and he has generated token for it but later on he needs scope A and B both and his previous token is valid, So in that case

1. Should we update the scope for the existing token ?
2. Should we generate new token for new scope ?
3. Or should Generate multiple token for a single user ?

Answer 1

If you want to update the scope of the existing token and if your authorization server provides a mechanism for it, just do it. As a matter of fact, a certain authorization server implementation provides Web APIs to update scopes of existing access tokens (/auth/token/update API, /auth/client/authorization/update API).

Whether access tokens are modifiable or not depends on each authorization server implementation. For example, if the type of access token implementation is "self-contained" (e.g. like JWT), access tokens are not modifiable. On the other hand, if the type is "random string" (in this case, actual data are stored in the DB behind the authorization server), access tokens may be modifiable. See "7.1. Access Token Representation" in "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings" for details.

Some authorization server implementations issue multiple access tokens for one combination of a user and a client application, and other implementations issue only one access token for the combination. A certain authorization server implementation provides a configuration flag to enable you to select either of the behaviors like below. See also this answer.

Which approach you should take depends on your use case. Look for an authorization server implementation which suits your use case best.