+1
Am 02.09.2010 19:11, schrieb Eran Hammer-Lahav:
Is this reasonable?
"The authorization server MAY
issue a new refresh token, in which case, the client MUST discard
the old refresh
token and replace it with the new refresh token."
This is as much consensus as I was able to extract.
EHL
-----Original Message-----
From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net]
Sent: Wednesday, July 14, 2010 2:33 PM
To: Brian Eaton
Cc: Kris Selden; Eran Hammer-Lahav; OAuth WG
Subject: Re: [OAUTH-WG] issuing new refresh tokens
On Tue, Jul 13, 2010 at 9:58 PM, Torsten Lodderstedt
<tors...@lodderstedt.net> wrote:
We plan to issue new refresh tokens for certain clients only (mobile,
desktop), it's part of the client-related policy. So the behavior for a
particular client is predictable.
Nice.
Would you be willing to expand on the current spec language a bit, to
explain the use cases, and offer more normative language about how
clients should handle refresh token exchange?
This is a cool feature, but the current language is kind of vague.
Cheers,
Brian
I'm not sure what you would like me to write. But let's get started:
We expected the clients to discard the old refresh token and to use the newly
issued refresh token instead. The old refresh tokens is revoked instantly. Any
attempt to use it afterwards is interpreted as a potential misuse because the
assumption would be that an adversary has copied the token or cloned the
device. The client should notify the user of the problem and recommend him/her
to check its application authorizations (refresh tokens) in our user self care
portal. There, the user will have acces to information on when the token has
been used the last time and therewith detect any odd behavior. The user could
then revoke the token and/or alarm its providers helpdesk.
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
