Hi all,
I am new to OAUTH list and OAUTH, so apologies if this is very off-topic. I am evaluating an OAUTH 2.0 implementation that is done based on bare bone base OAUTH2.0 RFC. From what I understand, many (or some) client implementations use a "global ID/secret" pair for all instances of the client. Looking at RFC 6819 and there seem to be a whole page on this topic, if I understand it correctly. So questions: 1) Section 3.7 talks about deployment-independent versus deployment specific client IDs. I am guessing "deployment-independent" refers to what I called "global", meaning if I have the same client with the same client ID installed in many end devices, that is a deployment independent case, correct? 2) Section 3.3 on refresh token mentions that the token is secret bound to the client ID and client instance. Could somebody please point me to where the token generation and binding is described? Also how is the client instance is identified? Thanks a lot in advance, Madjid Nakhjiri
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth