Hi Sanjeewa, I think what we have is correct. According to the spec to refresh the access token the client needs to authenticate with the server (by sending client_id,client_secret) and send the refresh_token. This is what the API Manager doc also says. Only additional parameter the APIManager doc has is the scope which is optional according to the spec.
Thanks, Johann. On Wed, Apr 3, 2013 at 6:00 PM, Sanjeewa Malalgoda <[email protected]>wrote: > Hi, > In our oauth2 implementation we have to send consumer key and secret key > (base 64 encoded) with refresh token to generate new access token. Its > explained in API manager document[1] in that manner. But AFAIK we do not > need to pass consumer and consumer secret keys to generate new access token > when we have refresh token and user credentials. Its explained in oauth2 > spec[2] as follows. Please correct me if i understood this concept in a > wrong way. > > The client requests a new access token by authenticating with > the authorization server and presenting the refresh token. The > client authentication requirements are based on the client type > and on the authorization server policies. > > > > [1]http://docs.wso2.org/wiki/display/AM130/User+Tokens#UserTokens-Renewing > [2]http://tools.ietf.org/html/draft-ietf-oauth-v2-31 > > Thanks. > -- > *Sanjeewa Malalgoda* > WSO2 Inc. > Mobile : +14084122175 | +94713068779 > > <http://sanjeewamalalgoda.blogspot.com/>blog > :http://sanjeewamalalgoda.blogspot.com/<http://sanjeewamalalgoda.blogspot.com/> >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
