This seems to need a chair to step in.  Tony is taking a strong stand
and maintaining it:

On Thu, Aug 11, 2011 at 1:40 PM, Anthony Nadalin <> wrote:
> Nowhere in the specification is there explanation for refresh tokens, The
> reason that the Refresh token was introduced was for anonymity. The scenario
> is that a client asks the user for access. The user wants to grant the
> access but not tell the client the user's identity. By issuing the refresh
> token as an 'identifier' for the user (as well as other context data like
> the resource) it's possible now to let the client get access without
> revealing anything about the user. Recommend that the above explanation be
> included so developers understand why the refresh tokens are there.

So far, though it's been only half a day, I've seen several posts
disagreeing with Tony, and none supporting any change to the text for
this.  We're close to ending WGLC, so please post here if you agree
with Tony's suggested change.  Otherwise, it looks like consensus is

Barry, as chair
OAuth mailing list

Reply via email to