Its a growing list... :-)
If the client can ask for a refresh token, why not also let it ask for a
secret in each flow, and a username, and specific UI, etc. At some point we
cross a line and the protocol becomes complex (even if rich). I'm asking
where that line is, and if this qualifies as worth of extra complexity. I
don't have an answer.
I'm also prefer to reduce the number of parameters. If an AS returns a
refresh token and the Client chooses to ignore it, that's easy code to
write. :)
the same holds for token secrets, why not returning them with every
response?
regards,
Torsten.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
