I'm working on an interesting scenario where I'm hoping to allow users to sign up and authorize another computer (not my web server) somewhere to update their data but only for something like 24 hours.

Here's the flow idea I have:

• User logs in and is given the authorize dialog.
• User authorizes thing and is redirected to another spot on the website.
• That page they're redirected to makes sure the code / token is legit and then send a message via SQS or choose whatever queue service you like which goes to the other computer and it says that the given user has allowed access to that computer to update things for it.
• That computer makes an API request with its OAuth token to request a code that I'd make with my grant extension and sends it back to the computer.
• That computer then calls the token uri and requests an access token with my grant extension and the code included.
• My grant extension verifies the code it just gave and notifies the thing that gives the access tokens to only give an access token that lives for 24 hours or so.
• The computer uses that newly created access token to update the user's profile.

First of all, that sounds a bit complex, but it's my thoughts on accomplishing this particular scenario while making sure everything's authenticated properly. Any thoughts on how to make that simpler?

If that's indeed the way to go, I can do pretty much all of those steps except for the last one because I don't think there's a way to specify only an access token and only 24 hours from a grant extension...yet :).

It should be minimally intrusive. Just have the grant extension in its return value specify an expiry length and a way to say no refresh tokens.

If I send a pull request, will you take it?