Hi, What are the plans for the OAuth HOTK draft with respect to refresh tokens? Section 4.3 says that a new public key can be bound to a new access token using a refresh token grant, but it would be nice if the refresh token could also use the public key such that when using the refresh token as a grant type to get a new access token, the AS could receive the same security robustness with the RT as the RS does with the AT.
John, I think you mentioned something along these lines at CIS, but it was late at night and my memory is foggy. Either way, the current draft does not discuss. Is this something that will be included in future versions? -adam
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth