Limiting simultaneous authorisations for a user/consumer combination in OAuth 2.0

Question

I'm building a service which will act as an OAuth 2.0 provider. I want to be able to limit the number of simultaneous authorisations that a user has for a specific consumer.

For example, each user of a consumer application should only be able to have, say, three simultaneous authorisations for that consumer, and thus only be able to use three clients simultaneously. When they try and authorise a fourth time it should prompt the user to remove the authorisation for an existing client before they can continue.

In my limited experience of OAuth, the token for a consumer application is always the same for a user and consumer combination, and so there's no way of revoking access to specific clients - only consumers.

Is there any provision in OAuth 2.0 for making a client identifier part of that combination, and thus part of the token? I'm specifically interested in OAuth 2.0 because of the User-Agent flow.

Or am I barking up the wrong tree entirely, and should I be looking at laying different system on top of OAuth?

Answer 1

It seems like you could generate authorization-specific access tokens and include metadata about which client/authorization instance each refers to either on the token itself (encoded form of -1, etc.) or within your app (where each access token is unique). In fact, doing so could probably be considered an improvement over most provider implementations as individual clients could be recognized more easily (for abuse, etc.).

Tokens needn't take on any particular format, so you're free to overload them with as much or as little semantic information as you want and adapt your UI and UX to match.