I agree that this is something you could do, but it doesn't seem like a good
design pattern.
________________________________
From: Torsten Lodderstedt <tors...@lodderstedt.net>
To: Eran Hammer-Lahav <e...@hueniverse.com>; OAuth WG <oauth@ietf.org>
Sent: Sunday, July 10, 2011 1:21 AM
Subject: Re: [OAUTH-WG] Refresh token security considerations
replacement of the refresh token with every access token refresh is an example.
The authz server creates and returns a new refresh token value with every
access token refreshment. The old value is invalidated and must not be used any
further. Note: The authz server keeps track of all old (invalidated) refresh
tokens.
If a client presents one of those old refresh tokens, the legitimate client has
been compromised most likely. The authz then revokes the refresh token and the
associated access authorization.
regards,
Torsten.
Eran Hammer-Lahav <e...@hueniverse.com> schrieb:
“the authorization server SHOULD deploy other means to detect refresh token
abuse”
>
>This requires an example.
>
>
>EHL
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth