On Oct 31, 2012, at 1:29 PM, Lewis Adam-CAL022 <adam.le...@motorolasolutions.com> wrote:
> Hi Dick, > > Totally agree about keeping things simple :) > > I’ll be the first to admit that many of my use cases are edge cases, but I > was sort of hoping that “this one” might find some common mindshare within > the community. Maybe it is just Google using refresh tokens today on the > social web, but I think we all know that OAuth is going to have life well > beyond the social web. Whether that’s good or bad has of course been the > foundation of so much of the recent “entertainment” in the OAuth blogsphere :) FYI: A design goal of WRAP, and hence OAuth 2.0 was to support a number of enterprise use cases. I expect people will use it in ways not imagined, which *may* require additions. I point out the non refresh token implementations to highlight that numerous implementors have not felt the added security is worth the extra client developer overhead in case you felt that it was a requirement. > > If I can’t find anybody else in the community to agree that what I propose is > useful, then I’ll cry uncle and let it rest. It will be interesting to see if others have the same use case. > Btw, in response to your question “why not have 3 different calls to the AS > so that there are separate refresh tokens for each RS? ” … it all comes down > to end user experience / latency. Could you not make all three calls in parallel, and then you get the access token that you want right away with no latency?
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
