Via OAuth - should 3:rd party apps be able to retain multiple access tokens per resource owner?

In the API we're developing, the access tokens are unique. With that I mean that there can only be one access token per application and user.

The consequence of this is that if a user authenticates the same third party desktop application on two computers, only the second will have a valid access token and the first will have to go through the authentication process again (the first access token will have been invalidated).

From a user experience perspective this is sub-optimal. From a security perspective it 开发者_JAVA技巧provides a minor benefit.

Curious to know how others have implemented access tokens in their APIs. One per user and app, or multiple?

The access tokens should be unique but the relationship between [user, app] and [token] should be one to many. Whereas in your case it is one to one. It has nothing to do with OAuth as a protocol but rather your implementation detail.