I don't see this addressed in the draft (10 or later versions). This is the only reference I can find on the issue: http://tools.ietf.org/html/draft-richer-oauth-instance-00

Let's say I have some browser add-on installed on my laptop and that same add-on installed on my desktop. If I go through a user agent flow on my desktop to get a token.

http://local/oauth2/authorize?client_id=b06jrfu82u3adi9ludzfnb1ik&redirect_uri=http://www.clientsite.org/q&scope=read create&response_type=token

Everything is fine. But when I do the same flow on my laptop, the access token my desktop has is now replaced.

Is there something additional I'm missing or is this a failing in the draft (10)?

This is undefined in the spec, and a behaviour this library does not support. We've considered it, but it's never been a big enough problem for us.

There's a couple of ways you could fix it: either introduce a new Token object such that Authorization.has_many :tokens, or switch to self-contained encrypted tokens, using randomized authenticated encryption.

Argh. I'll explore the token object route -- thanks!