Precisely! In fact the anonymity of this sort can be achieved even
without a refresh token: as long as the end user is not required to
authenticate to the client.
But for all I remember, we have never had a SINGLE USE CASE (sorry to
transition to my pet peeve) that required anonymity. The original and
overarching OAuth requirement has been not to reveal user credentials;
the refresh tokens were required in order to make end-user's life
easier. In short, I do not recall anonimity being the end.
I have no doubt that Tony has a new important use case, and I think we
should document it, derive requirements from it, and pursue this in the
next OAuth release.
Igor
On 8/12/2011 11:10 AM, Torsten Lodderstedt wrote:
OAuth allows a client to access user resources without revealing the
resource owner's identity to the client. Isn't this anonymity? I
consider this an important property of the protocol.
regards,
Torsten.
On Thu, 11 Aug 2011 21:00:54 -0400, Barry Leiba wrote:
This seems to need a chair to step in. Tony is taking a strong stand
and maintaining it:
On Thu, Aug 11, 2011 at 1:40 PM, Anthony Nadalin
<[email protected]> wrote:
Nowhere in the specification is there explanation for refresh
tokens, The
reason that the Refresh token was introduced was for anonymity. The
scenario
is that a client asks the user for access. The user wants to grant the
access but not tell the client the user's identity. By issuing the
refresh
token as an 'identifier' for the user (as well as other context data
like
the resource) it's possible now to let the client get access without
revealing anything about the user. Recommend that the above
explanation be
included so developers understand why the refresh tokens are there.
So far, though it's been only half a day, I've seen several posts
disagreeing with Tony, and none supporting any change to the text for
this. We're close to ending WGLC, so please post here if you agree
with Tony's suggested change. Otherwise, it looks like consensus is
against.
Barry, as chair
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
