Hi Brian,
thanks for the clarification. Should the WG document this kind of
security design decisions somewhere?
regards,
Torsten.
On Tue, Mar 23, 2010 at 12:01 PM, David Recordon<[email protected]> wrote:
ยง3
- Why is the parameter oauth_client_secret required for refreshing access
tokens? Use cases 2.2 and 2.3 do not require the client to use (possess) a
secret. Does this imply such client are not entitled to refresh tokens? I
would suggest to simply remove this parameter.
It shouldn't be required. Fixed!
http://github.com/daveman692/OAuth-2.0/commit/a30843724f241f3ea1052c83dcfec0127a11fe00
It was required in WRAP because is lets you recover if a client web
server that holds many refresh tokens is compromised. You rotate the
client secret, and then the attacker loses access to user data.
Please add it back. =)
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
