It seems to me that the issue is to more cleanly implement the concept that:
- creating the token for the first time will create the token entry and enumerate the authorization agreed
- validating a token should simply enumerate the authorisation agreed at the time of authentication
It seems to me that the issue is to more cleanly implement the concept that:
- creating the token for the first time will create the token entry and enumerate the authorization agreed
- validating a token should simply enumerate the authorisation agreed at the time of authentication