+1 (against the removal)
On 8/18/2011 12:58 PM, Anthony Nadalin wrote:
Agree, against the removal of text
-----Original Message-----
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of
Lodderstedt, Torsten
Sent: Thursday, August 18, 2011 1:01 AM
To: Eran Hammer-Lahav; oauth@ietf.org
Subject: Re: [OAUTH-WG] Partial set of last call comments on OAuth draft 20
from Yaron Goland
1.4.3. Resource Owner Password Credentials: Comment on "(when
combined with a refresh token)": "This is the first time that refresh
tokens are mentioned in the spec. And yet there is no explanation of what they
are.
I suspect they should anyway be introduced in section 1.4.1 (as
previously
noted) and then their use here will make sense. If that isn't
possible then it would be good to have a forward reference to section
1.5 below so the reader has some idea of what's going on."
I removed '(when combined with a refresh token)'. This is actually not true as there
is no assumption that>access tokens are always short-lived or that refresh tokens
will always be issued to native applications using>this grant type.
-1 against removing this text (w/o an suitable replacement) and w/o group
consent.
The -20 text clearly points out that this combination "... eliminates the need for
the client to store the resource owner credentials for future use". The resource
owner grant type alone does not justify this statement.
It's true that the spec does not explicitly defines the lifetime assumption for access
and refresh tokens (which is pity in my opinion). So at least add something like "if
the token lifetime is reasonable long enough".
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
