both, so the user needs to loggin.
>
> In general I think rolling the refresh token is a good idea though it is
> not popular, I think it is more secure.
>
> John B.
>
>
>
> On Aug 28, 2015, at 11:21 AM, Donghwan Kim <flowersinthes...@gmail.com>
> wr
, at 2:41 AM, Donghwan Kim flowersinthes...@gmail.com
wrote:
Hi,
According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5,
refresh token can be used to refresh an expired access token without
requesting resource owner to sign in again (uncomfortable experience).
However, if it's
., postal address,
email address, home page URI) may also be included.
You need to have a specification to do that.
I don’t see this as a good idea, but that is how you would do it.
Regards
John B.
On Aug 20, 2015, at 11:15 AM, Donghwan Kim flowersinthes...@gmail.com
wrote:
Hi,
I
Hi,
According to Figure 2 from http://tools.ietf.org/html/rfc6749#section-1.5,
refresh token can be used to refresh an expired access token without
requesting resource owner to sign in again (uncomfortable experience).
However, if it's true, isn't it that refresh token might be used to request
a
of the responsible party. Other details (e.g., postal address,
email address, home page URI) may also be included.
You need to have a specification to do that.
I don’t see this as a good idea, but that is how you would do it.
Regards
John B.
On Aug 20, 2015, at 11:15 AM, Donghwan Kim
Hi,
I would like to add a custom property representing the account who just
authenticated to the access token response for the sake of convenience like
login request's response. Then, an exchange of request and response will
look like this:
POST /tokens HTTP/1.1
Host: api.example.com
