Hello I was reviewing the latest DPoP draft[1] and saw numerous mentions of using a DPoP proof for refreshing an access token, but no explicit description of how to do that, nor an example. Was this intentional?
Perhaps a new section "Refreshing an Access Token"? Additionally, I can imagine that an AS can improve its security posture by adding support for DPoP *just* to token refresh and not requiring existing resource servers to upgrade. Rotating refresh tokens would not be as critical for public clients using DPoP for token refresh. Would using DPoP only for token refresh be appropriate? If so, language describing that would be helpful. :) /Dick [1] https://tools.ietf.org/html/draft-fett-oauth-dpop-04 ᐧ
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
