Extension to Allow Clients to Get Tokens Secured by Ticket

[dshanske]

Want to start discussing this.

Proposing a simplified way for a client to get access to the token secured by the ticket endpoint. Starting with the autoauth solution, suggest that the client, in a user initiated interaction, needs to secure a token with a scope that gives it permission to retrieve tokens, let's say scope 'external_token'. We already have a flow for this, so no changes are required.

So, using the example of a social reader application, when you configure it, you grant it, or don't grant it permission to retrieve external tokens.

Then, the client would use that token, with the scope, to request it be given a copy of the stored token. That would likely be at the token endpoint for the user they are obtaining it on behalf of, with a new grant_type, providing the token that authorizes them to get these tokens, the client_id of the client requesting it, and the resource the URL the token allows access for.

Just started thinking about this, so a bit rough.